Online Safety Bill
Ruth Edwards ExcerptsMonday 5th December 2022
(1 year, 4 months ago)
Commons ChamberRead Full debate Online Safety Act 2023 View all Online Safety Act 2023 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 5 December 2022 - (5 Dec 2022)
Paul Scully
As I said, the social media platforms will have to put in place robust age assurance and age verification for material in an accredited form that is acceptable to Ofcom, which will look at that.
Tackling violence against women and girls is a key priority for the Government. It is unacceptable that women and girls suffer disproportionately from abuse online, and it is right that we go further to address that through the Bill. That is why we will name the commissioner for victims and witnesses and the Domestic Abuse Commissioner as statutory consultees for the code of practice and list “coercive or controlling behaviour” as a priority offence. That offence disproportionately affects women and girls, and that measure will mean that companies will have to take proactive measures to tackle such content.
Finally, we are making a number of criminal law reforms, and I thank the Law Commission for the great deal of important work that it has done to assess the law in these areas.
Ruth Edwards (Rushcliffe) (Con)
I strongly welcome some of the ways in which the Bill has been strengthened to protect women and girls, particularly by criminalising cyber-flashing, for example. Does the Minister agree that it is vital that our laws keep pace with the changes in how technology is being used? Will he therefore assure me that the Government will look to introduce measures along the lines set out in new clauses 45 to 50, standing in the name of my right hon. Friend the Member for Basingstoke (Dame Maria Miller), who is leading fantastic work in this area, so that we can build on the Government’s record in outlawing revenge porn and threats to share it?
Paul Scully
I thank my hon. Friend, and indeed I thank my right hon. Friend the Member for Basingstoke (Dame Maria Miller) for the amazing work that she has done in this area. We will table an amendment to the Bill to criminalise more behaviour relating to intimate image abuse, so more perpetrators will face prosecution and potentially time in jail. My hon. Friend has worked tirelessly in this area, and we have had a number of conversations. I thank her for that. I look forward to more conversations to ensure that we get the amendment absolutely right and that it does exactly what we all want.
The changes we are making will include criminalising the non-consensual sharing of manufactured intimate images, which, as we have heard, are more commonly known as deepfakes. In the longer term, the Government will also take forward several of the Law Commission’s recommendations to ensure that the legislation is coherent and takes account of advancements in technology.
We will also use the Bill to bring forward a further communication offence to make the encouragement of self-harm illegal. We have listened to parliamentarians and stakeholders concerned about such behaviour and will use the Bill to criminalise that activity, providing users with protections from that harmful content. I commend my right hon. Friend the Member for Haltemprice and Howden on his work in this area and his advocacy for such a change.
Product Security and Telecommunications Infrastructure Bill
Ruth Edwards ExcerptsWednesday 25th May 2022
(1 year, 11 months ago)
Commons ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 25 May 2022 - (25 May 2022)
Chris Elmore (Ogmore) (Lab)
You will be aware, Madam Deputy Speaker, that I have spent at least the last five and a half years as an Opposition Whip encouraging brevity, so I do not intend to keep the House too long. I will keep my remarks short and hopefully to the point. As I said on Second Reading and in Committee, I will not pretend that the Opposition do not support the wider principles of the Bill. I thank the Minister for the constructive way in which she has engaged on it with me from the outset.
I turn to the new clauses and amendments. New clause 1 is an improvement on the Government’s first attempt to change the definition of “occupier”, but the changes put forward are still not watertight when it comes to preventing unintended consequences. The new clause does not address the underlying issue that operators could theoretically use it in situations other than when existing agreements have expired, which could lead to financial consequences for small site providers who have been hard done by since the electronic communications code review in 2017. More work is needed when the Bill moves to the other place to ensure it does not unintentionally punish site providers further. We have no issue with the proposal in new clause 2 that grants the Secretary of State power to make regulations that provide for a function conferred by the code on the court to be exercisable in relation to Wales by the first-tier tribunal.
I will speak to amendment 14 on behalf of my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier). She sends her apologies to the House; she is chairing the Public Accounts Committee. We have checked with the Clerks and the Speaker’s Office to check that that is appropriate. That amendment, and the consequential amendments 15, 16 and 17, seek to apply a different regime under the electronic communications code to private landlords. They would give operators automatic upgrade rights in respect of properties owned by private landlords, subject to the strict condition that the upgrading imposes no additional burden on the other party to the agreement.
The growing digital divide in our towns and cities has only been exacerbated by the pandemic. The Government’s broadband target has been downgraded twice, and the Digital, Culture, Media and Sport Committee doubts that the current 85% gigabit target will be met. The backlog is due to the difficulty in accessing a high number of properties, a disproportionate number of which are flats, whose absentee landlords have little to no incentive to respond to requests to upgrade and improve connectivity.
Ruth Edwards (Rushcliffe) (Con)
I have complete sympathy with the intention behind the amendments and with what the hon. Gentleman is trying to do, but many providers whom we have spoken to throughout the Bill’s passage oppose them on the grounds that they will give the incumbent provider an advantage. Is he concerned that an unintended consequence of his amendments might be to make it more difficult for new competitors to enter the market and provide our constituents with the services that they need?
Chris Elmore
I welcome competition in the market, but I would say to the hon. Lady that we now have broadband blackspots in parts of central London, and 15% of the constituency of the hon. Member for Hastings and Rye (Sally-Ann Hart) has these MDU blackspots. This is affecting constituents up and down the land, and the demand from all our constituencies, particularly because of the pandemic, is that we require the very best sector-leading broadband. It cannot simply be the case that some operators say this must happen and some say it should not happen, therefore nothing is resolved.
Product Security and Telecommunications Infrastructure Bill (Third sitting)
Ruth Edwards ExcerptsThursday 17th March 2022
(2 years, 1 month ago)
Public Bill CommitteesRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 17 March 2022 - (17 Mar 2022)
Julia Lopez
I thank the hon. Member for tabling these amendments. I represent an urban constituency and, as the Minister for digital connectivity, I am very alive to any concerns about the digital divide. I have tested the legislation to make sure that we are not exacerbating that. The amendments relate to circumstances in which an operator can upgrade or share the use of their apparatus without specific permission from a landowner or a court order. Crucially, the amendments relate to rights that the Bill grants retrospectively to agreements that are already in place. The amendment seeks to expand those rights in circumstances where apparatus is situated on, under or over land owned by private landlords.
Retrospective legislation must take particular care to strike a balance between impacts on individual rights and any public benefit that the legislation aims to deliver. The Government believe at this time that expanding retrospective upgrading and sharing rights in the way these amendments suggest would not be justified. Upgrading and sharing electronic communications apparatus offers a wide range of substantial benefits. Those are benefits that the Government specifically recognised in their 2017 reforms, when limited automatic rights were introduced for operators to upgrade and share their apparatus. The exercise of the new upgrading and sharing rights was made subject to certain conditions. Those conditions were intended to strike the right balance between the rights of individual landowners hosting apparatus and the public benefits delivered by operators upgrading and sharing their apparatus.
The changes made in the 2017 reforms therefore permit upgrading and sharing to take place without a landowner’s specific consent only where any impacts on that individual will be limited. However, it was recognised that any use of those rights could have some impact, albeit very limited, on individual landowners.
Ruth Edwards (Rushcliffe) (Con)
I remind the Committee of the declaration of interest that I made: I have worked for a number of providers, including BT and techUK, that will be affected by the legislation, and I carried out cyber-security consulting for MHR last year. I agree with the Minister about the need to seek a balance between the rights of landowners and the rights of operators. However, we cannot lose sight of the fact—this is a point she has been making powerfully—that we must get behind upgrading our digital infrastructure as fast as is practicably possible.
I am aware that we are about to debate amendment 8, which would make it more expensive for operators to access land, and put them at a disadvantage compared with other utility companies. Does the Minister agree that adopting amendments 9 to 12—and then 8—would risk sending a mixed signal to the market? On the one hand we are making it more expensive and difficult for our operators to access land, but on the other hand we are rolling back the scrutiny that they have to access private property at the moment.
The Chair
Before I call the Minister, I will take this opportunity to say that interventions should be relatively short and to the point. It will not be difficult for hon. Members to catch my eye to make points in a debate if they wish to.
Product Security and Telecommunications Infrastructure Bill (First sitting)
Ruth Edwards ExcerptsTuesday 15th March 2022
(2 years, 1 month ago)
Public Bill CommitteesRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 15 March 2022 - (15 Mar 2022)
The Chair
Copies of written evidence that the Committee receives will be made available in the Committee Room and circulated to members by email. I would usually call on the Minister at this stage to move the motion for the Committee to sit in private, but I do not think that the Front Benchers on either side want to move into a private session, so we will continue sitting in public and the proceedings are still being broadcast. Before we start hearing from the witnesses, do any hon. Members wish to make declarations of interest in connection with the Bill?
Ruth Edwards (Rushcliffe) (Con)
I am a former worker in the cyber-security industry, and have worked for a couple of the witnesses giving evidence today. One is techUK; I have also worked for BT, which of course owns Openreach. I also draw the Committee’s attention to my entry in the Register of Members’ Financial Interests: I undertook some work in cyber-security for MHR between May and December last year.
The Chair
Thank you. The Clerks will note that declaration from Ruth Edwards; and Ruth, if you wish to refer to it later in the proceedings, do so.
The Chair
Thank you. Will any Members wishing to ask questions please indicate that? Ruth Edwards.
Ruth Edwards
Q
Anna Turley: That is in total.
Ruth Edwards
Q
Anna Turley: Well, we know that a third of them have had reductions of around 90% or 95%; that is from our own survey approaches. Going back to the Minister’s first question, I could write to the Committee afterwards with the exact number. Thousands of people have written to us through social media and email, and have responded to our website. I do not have a total number for all those who have contacted us, but there are thousands of case studies across the country.
Ruth Edwards
You must have a rough idea. Is it something like 10% or 50%?
Anna Turley: I would say that probably about 4,000 people have reached out to us, but again, people have to be aware of our campaign. They have to have found us—come across us on social media. They have to have been engaged with us. It does not mean that there are not an awful lot of people sitting and suffering in silence. Part of the reason for setting up this campaign was that there were people who were just in despair and really struggling. Our campaign was set up to give them a voice and to give them access. I think this is really important. When the legislation was made previously, you were hearing only from mobile operators—those on the other side. There is no roll-out and no connectivity without people hosting a site on their lands. These people are fundamental to us hitting our targets, and we need to make sure their voices are heard in this campaign.
Ruth Edwards
Q
Anna Turley: I am not sure about that, but I know that internationally we compare very well. Our rents pre-2017 were not significantly higher than those in other countries, like Germany, Spain, Italy and others that are substantially ahead of us in the roll-out. I do not believe, and evidence does not suggest, that cutting these rents has actually increased our roll-out and our connectivity.
If you want to make the comparison with other utilities companies, the issue for all of those is that they are very tightly regulated industries, whereas there is very little regulation, and very little accountability and transparency, on the telecoms industries. If they are to become an essential utility—that may be the way we go, down the line—it is fundamental that the same kind of transparency, accountability and regulation is placed on them as is placed on utilities at the moment. That is not the case. We have no idea whether the savings that have been made through this have been reinvested in new infrastructure. There is no onus on these companies to do that. The Government are continuing to subsidise them with things like the shared rural network. It seems to be money after money towards these companies, without any indication of whether that money is actually being invested in helping us to achieve our connectivity outcomes.
Ruth Edwards
Q
Anna Turley: We are funded by an organisation called APW, which is a company that is a telecoms—sorry, a company that owns a land infrastructure itself. But as I say, we are supported by colleagues like the NFU, the CLA and others who back our campaign, and we represent all the site owners that have contacted us over this time to get their voices heard.
There are huge organisations, like Speed Up Britain and Mobile UK, that have very good connections with Government and are able to lobby and present their side of the argument. Until Protect and Connect was set up, there was no collective voice—no unified way in which site owners could speak to Government and tell their story. I think it is really important that we hear about this. I have examples here of constituents of your own who are saying, “We have telecoms masts. In view of the impact on our rent, I would certainly not have allowed the siting of masts on my property.” A number of people and organisations around the country would not have had this voice if we were not providing this campaign.
Ruth Edwards
What’s their interest in this?
Anna Turley: Obviously they are a site provider—
Ruth Edwards
So they would stand to gain substantially financially if we increased rent valuations.
Anna Turley: They have been losing substantially since 2017, so, yes, of course there is a financial interest. The point of the campaign is that they, by themselves, do not have a voice, and without their funding this campaign neither would all the other affected organisations—charities, community groups and others. If a representative of Speed Up Britain were here, you would recognise that there is a financial interest for mobile operators as well.
We have been very clear about the issue. Of course, the valuation is important and the money is important. I am a member of the campaign because bad policy has been developed over the past few years that has basically put all the power in the hands of a large number of mobile operators. Ordinary people around the country have been absolutely hammered by that and have not had the opportunity to express the impact on their lives and livelihoods. The campaign is a really important one to address that balance.
Ruth Edwards
Just to be clear, I do not think that there is anything wrong with APWireless lobbying for their interest; like you say, big telcos would as well. For clarity and transparency, however, I think it is important for people to note that Protect and Connect does not just represent small landowners and community groups; it also represents APWireless, which describes itself as one of the world’s leading mast lease investment firms, with thousands of leases in 21 countries across the world. I think it important that we have that on the record.
Anna Turley: Absolutely; no problem with that.
The Chair
I remind Members that we should confine ourselves to questions, not to straightforward dialogue.
Product Security and Telecommunications Infrastructure Bill (Second sitting)
Ruth Edwards ExcerptsTuesday 15th March 2022
(2 years, 1 month ago)
Public Bill CommitteesRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 15 March 2022 - (15 Mar 2022)
Chris Elmore (Ogmore) (Lab)
Q
In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.
A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.
Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.
On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”
I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.
Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.
David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.
Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.
Ruth Edwards (Rushcliffe) (Con)
Q
Professor Carr: I think the Bill would be a hugely positive step. There is a lot more to be done in terms of regulating emerging technologies. As I said earlier, the UK is a country at the forefront of thinking about these issues and taking action. It is new territory, because we are not used to legislating about these things; it seems somehow interventionist, or that it stifles innovation. Actually, digital technologies have become so integrated into every aspect of our lives, from the most personal level to infrastructure, and we have not caught up with that in what we see as the acceptable responsibility of the Government, of individuals and of industry.
There has very much been a narrative that Governments need to stay out of this area. I think that is very dangerous and wrong, because that is how we have ended up in the situation we have been in. It is certainly a balance between those parties—Government, civil society and industry—but we are a long way from having that balance right. Governments are beginning to see that there is a mandate and that they have a responsibility. We see that not just in the UK, but certainly in the US, Australia, the EU. But there is a long way to go.
Ruth Edwards
Q
Professor Carr: I would like to see the range of devices extended—in particular, where it talks about toys and safety devices. There is a whole category of other devices that should be included, particularly when we think about children. There is a market emerging now for tracking devices for children, or these phones, which are not really phones but communication devices. I think the scope of the devices should be expanded.
If I had a magic wand and it was up to me, I would say that devices had to be supported for a minimum time. Otherwise, you end up with the very distasteful scenario that we were just talking about, where people who are less resourced are buying less secure devices and living less secure lives. I would like to see a minimum time that devices had to be supported.
I would say those two; I would go much further, but it is a good start.
Ruth Edwards
Q
“Current proposals risk unintended consequences for manufacturers and consumers”.
It points particularly to security requirement 2, which is to implement a means to manage reports of vulnerabilities, and notes:
“On vulnerability reporting, not all reports/vulnerabilities will require intervention. The Enforcement Body needs to carefully consider when to alert the public about security risks to ensure associated devices are not viewed as obsolete or that vulnerabilities yet to be mitigated are advertised to threat actors.”
What is your response?
David Rogers: I will be frank: I think they have misunderstood what vulnerability disclosure is. As I mentioned, there is an ISO specification for this. The security research community and the hacking community have been campaigning for this for years and years. It is well established. A lot of the bigger tech companies have recognised that this is the right way to deal with things. I am sure that you understand vulnerability disclosure, but the process is that if a security researcher or hacker discovers a vulnerability, they have an easy way to report that to the company confidentially. That process typically takes anything from 30 days to 90 days. At the end of that process, a fix is issued, if that is possible. It may even extend for a longer time if it involves other companies. Then the security researcher is able to go public with their work, but that is only after a fix is issued. This has been fought out over a long period, and is the right way of doing things. It is agreed between the hacking and the tech communities.
There may be some education work to be done for those manufacturers who do not understand that this is the right thing to do. They should be implementing vulnerability management schemes internally anyway. I think John Moor mentioned this morning that it is about quality. It is about good software quality measures and good software design. We have seen some really catastrophic problems caused by vulnerabilities that have been sitting there for years. That is the old world. We need to move on from that. The new world is about continuous software updates and a continuous product security lifecycle. People cannot just ship and dump products on to the market and leave them there.
The Chair
Can I bring in Kevin Brennan, as we only have four minutes before this panel comes to an end?
Ruth Edwards
Q
Rocio Concha: Is this about the length of time a product will be supported for? That information should be provided clearly at the point of sale, before you make a decision, so that you know you are going to buy something that may be supported for only two years, versus another product that may be supported for longer. That will hopefully provide everyone with the incentive to extend the number of years for which a product is supported.
We also need to make sure that that information is very clear. We should avoid “up to three years” and “for the lifetime of the product”, which do not really mean much for the consumer. For the consumer to be able to act on that information, it has to be very clear and easy to find when they are making that decision. That is what I would say.
On changing the security, I am a little worried about the industry saying that it may change the period during which a product will be supported. If that change is to extend that period—great; if it is to reduce it, that is very bad. At that point, the consumer has made a decision and bought a product because that product was going to be supported for longer.
If someone was told that a product would be supported for four years, and they later found out it was two years, that product would not be fit for purpose. Under the Consumer Rights Act, you have a right on the same grounds as the Consumer Protection Act 1987.
The Chair
If there are no further questions from Committee members, that brings today’s sitting to a close. On behalf of the Committee, I thank the witnesses for their evidence this afternoon. The Committee will meet again on Thursday at 11.30 am in Committee Room 14 to begin line-by-line consideration of the Bill.
Ordered, That further consideration be now adjourned. —(Steve Double.)
Product Security and Telecommunications Infrastructure Bill
Ruth Edwards Excerpts(2 years, 2 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lucy Powell
The right hon. Gentleman is absolutely right that the Bill and the previous code mean that those cricket grounds, sport clubs and churches in all hon. Members’ constituencies that had phone masts put on their property in good faith to give them income that they would not otherwise have, which in many cases keeps them going, have been offered dramatically reduced rents but are forbidden by law from taking the masts down. They are between a rock and a hard place. It will put many of those community groups, and the roll-out, at risk.
There is a real risk that the Bill will hamper, rather than support, faster broadband and 5G roll-out, so what assessment has the Secretary of State made of the effect of the 2017 changes on rent levels and on the speed of roll-out? Given that previous reforms to the code have resulted in no demonstrable improvement, what makes her think that strengthening the hand of telecoms firms will speed up the roll-out, rather than simply allowing them to increase their profits further? I think that is the thinking behind the now not-selected reasoned amendment tabled by the right hon. Member for New Forest West, with which I have a great deal of sympathy.
The Opposition support the broad approach of the Bill, but the security measures are too little, too late and are behind the technology curve rather than in front of it.
Ruth Edwards (Rushcliffe) (Con)
I am listening to the hon. Lady with interest and I think that security is an issue on which we can work across the House. What specific measures from the 2018 “Secure by Design” guidance does she think should be included in the Bill but are not at the moment?
Lucy Powell
I am coming to the end of my speech, but there are a number of issues that could have been included in the Bill, some of which I have outlined. There are security issues, and there are new waves of technologies that are not in the Bill’s scope; as the Secretary of State rightly pointed out, they are coming on us really quickly. Bills like this one tend to come three or four years behind the technology, rather than ahead of it. That is what I would like us to work together to address.
In conclusion, we fear that these telecommunications infrastructure measures could further hamper the Government’s pretty woeful record on broadband and 5G infrastructure.
Ruth Edwards (Rushcliffe) (Con)
I start by declaring my interests. Much of my previous career was spent in the cyber-security industry, and in the four years before being elected to Parliament, I led commercial strategy and public policy for BT’s cyber-security team. BT was one of the companies that helped to design the Secure by Design code of practice, some of which we are putting into law through the Bill. Also, I have recently undertaken cyber-security work for MHR, which is set out in my entry in the Register of Members’ Financial Interests, although the company does not produce consumer devices, connected or otherwise.
In some ways, cyber-security was good preparation for politics—for example, waking up to nightmare headlines such as,
“Attack of the refrigerators! The cyber-threats lurking in your home”
and
“Is your smart TV too wise? The FBI warns your screen is watching you”
and
“HACKED IN THE HOME: Your entire home could be HACKED with these simple mistakes, cyber-experts warn”.
Perhaps the most disturbing one I have seen is:
“Hacker who stole nude self-portraits of George W. Bush jailed for four years”.
I am all for being tough on crime, but surely in that case the perpetrator had already suffered enough.
Alarmist headlines aside, the Bill is very much needed to protect our constituents. The average UK household has nine connected devices, and the security on most of them will be poor. Information about how secure the devices are, or how long they will receive security updates for, is unlikely to have been provided when they were sold. What are the risks? There is a huge impact on our constituents’ privacy. Your TV really could be watching you. Two years ago, footage stolen by hackers from home security cameras in Hong Kong was sold to pornographic websites—a huge invasion of people’s intimate private moments. There are numerous reports of baby monitors being hacked by paedophiles.
There is also the danger of hackers using a fairly innocuous connected device as a gateway to jump to other devices and steal valuable information. An infamous example from the business world is the attack in 2013 on Target, one of the top five retailers in the US. Criminals gained access to its network through a supplier connected to an external vendor portal. They then stole the details of 40 million customer credit and debit cards. The supplier just provided air-conditioning. The total cost of the cyber-attack was more than $200 million. That is one hell of an expensive air-conditioning bill. There was also an attack on a casino, where hackers gained entry to the network through the thermometer of a fish tank.
Once they have a foothold in the home, hackers can access other devices that are not properly secured. There is a real danger that sensitive information relating to a constituent’s health or their financial information could be compromised, but how common is that really? Is it just a case of a few alarmist headlines? The consumer watchdog Which? ran an interesting experiment last year. It set up a smart home with a range of consumer devices, from kettles to thermostats, televisions and security devices, all connected to the internet. It experienced 12,000 hacking or scanning attempts in a week. At one stage, it experienced up to 14 hacking attempts an hour. We have a problem, therefore, but not a problem of which many people are aware. A recent report that surveyed 2,000 UK consumers found that people were largely unaware of the risks. Some 48% of respondents were not aware that hackers could hijack their connected devices.
Unsecured consumer devices are also a real risk to our digital infrastructure. Hackers who control connected devices can harness their collective power into a botnet—a network of devices that can be used to launch denial of service attacks on our digital infrastructure. The Secretary of State referred earlier to the Mirai botnet. What is interesting is that it is thought to be the first botnet to harness the power of insecure consumer devices or the internet of things. At its peak, it had about 600,000 devices—baby monitors, radios, cameras—at its beck and call. You and I would not necessarily have noticed it, Mr Deputy Speaker, until the day it launched an attack on the domain name service provider Dyn in 2016. In doing so, it took out Netflix, PayPal, Amazon, Visa, Reddit and Airbnb for the best part of a day.
Contrary to some of the claims we have heard from those on the Opposition Benches, the UK has always been a world-leading cyber-power. Back in 2011, we were one of the first countries in the world to publish a cyber-security strategy. It recognised the risks and opportunities that cyber-security brought to nation state relationships, critical infrastructure, business, consumers and society as a whole. We have always been out in front when it comes to protecting people, businesses and critical infrastructure.
In the 2016 refresh of the national cyber-security strategy, the Government moved from relying on a market-based approach to protect consumers, to a more active role through the UK’s active cyber defence programme, which makes the infrastructure of the UK’s internet more difficult for cyber-criminals to exploit. It does that through measures such as improving the security of internet protocols—the method by which data is sent from one computer to another—and domain name system filtering that blocks access to sites known to host malware, such as phishing sites. The 2016 strategy also committed to publishing guidance on how to improve the default security of consumer products. There are three measures on that in the Bill. As we know, it forms the basis of similar codes used in India and Australia, but it also forms the basis of the first global technical standard for consumer cyber-security products. So far from being behind, the UK is the leading country in the world on this issue.
As has been set out, the three measures put forward are: banning default passwords; implementing a vulnerability reporting scheme; and informing consumers how long a product will receive security updates for at the point of sale. They are really necessary because, I am sorry to say, we have not seen the response from industry that we should have. Too many manufacturers are still not taking responsibility for ensuring their products have the basic security that our constituents need. Too many still shunt their security responsibilities on to the users of their products.
We need to call time on this. The digital economy is growing and holds huge opportunities, but those who benefit from its growth should also be investing in the safety and security of its users. We are still, in my view, only on the cusp of the fourth industrial revolution, the fusing of our digital and physical worlds. Cyber-security needs to be a part of that revolution to ensure that the inevitable risks are outweighed by the opportunities.
Chris Elmore (Ogmore) (Lab)
It is a pleasure to close this Second Reading debate. The first job of any Government is to keep their citizens safe, and I am glad that the security elements of the Bill were developed in conjunction with the National Cyber Security Centre and the Department. Her Majesty’s Opposition have the utmost confidence in our national security services, which go to such incredible lengths to keep us all safe in an increasingly difficult online world.
A number of speeches have been made by Members on both sides of the House, but let me deal first with what was said by my hon. Friends the Members for Ealing North (James Murray) and for Luton South (Rachel Hopkins), both of whom spoke about the notspots in their constituencies and the increasing problems with access to tech. People may have the “plumbing” that can provide a good standard of broadband, but they may not have, indeed may not be able to afford, the equipment that would give them access to it.
We in the Labour party put security at the heart of everything we do, and it is owing to that desire to see people in this country safe in cyber-space that we will not oppose the Bill. However, there are issues that we feel should be addressed in it, some of which have already been mentioned today.
The product security measures in part 1 contain proposals that Labour fully supports. They include a ban on devices that come with easy-to-guess passwords such as “default” and “admin”, and oblige firms to make such vulnerabilities public knowledge, with those failing to comply being threatened with large fines. That is especially prudent as it institutes common-sense rules for sellers to follow, and ensures that consumers are more engaged in cyber-security. Basic cyber-hygiene is paramount, and measures such as changing default passwords would do a great deal to improve devices’ security by, in theory, adding an additional layer of protection. However, we agree with many in the industry that certain measures could have gone further, and we will continue to hold the Government to account in the areas where we believe that to be the case.
While the pursuit of increased security on devices is laudable, there are concerns about the practicality of such changes. If each device is now legally bound to have a private password, who will be responsible for managing it? Given the plethora of smart devices that we all use, I am sure that we have all forgotten a password or two; I certainly have. If a device needed to be repaired and the user had forgotten the password, how would the specialist repairing the phone gain access? Many in the industry believe that that could potentially lead to a situation in which manufacturers might have to provide “super-user accounts” or “backdoor access”.
The Bill also introduces the mandating of manufacturers to tell consumers at the point of sale about the product’s lifespan and for how long it will receive security updates. While we can all agree that more transparency is a good thing for customers, if security updates are available for a few years—as is the case with Android phones, for example—surely that will lead to built-in obsolescence, meaning, in this case, smart devices being excluded from key security updates after a relatively short lifespan.
Ruth Edwards
The point is that the companies providing the devices will stop giving out security updates anyway. All that the Bill is doing is ensuring that users are informed of when that will happen. It is not forcing in any obsolescence; it is merely giving consumers choice by enabling them to know when those security updates will be stopped.
Chris Elmore
I take the hon. Lady’s point, but not everyone can afford simply to keep on replacing their technology. [Interruption.] I gave way to the hon. Lady, so she should at least give me the courtesy of allowing me to respond. It is quite simple, is it not? [Interruption.] Government Members do not like it, do they? Perhaps this is not an issue in her constituency, but I bet it is. If a company says, “You will not receive security updates after X amount of time”, people will naturally assume that they have to replace their device. We have heard from Members from across the House today that not everyone can afford to keep replacing devices based on the security that is put in front of them.
All I am asking of the Minister is to work with the industry to ensure that if updates could be taken over a longer period, it is not simply a binary issue of saying, “This device will no longer be updated.” It is as simple as that: we are just trying to make sure that people can afford to keep the devices they own. In many cases, people will save for years to pay for devices or do it through hire purchase.
Chris Elmore
I will not, no, because the hon. Lady does not like the answer—that is the problem, is it not?
We must also consider the wider view that part 1 of Bill is limited in scope. However, it is clear to all of us here today that no one nation can legislate the internet. Part 1 does provide some desperately needed security responsibilities for the consumer, combined with giving them the necessary information to make informed choices about how they manage the basics of their own digital lives. The pandemic has only served to accelerate the shift to digital, and with that comes the question of increased security and safeguards online.
Now let us turn to part 2 of the Bill. I do not often say this, but I am in almost complete agreement with the right hon. Member for New Forest West (Sir Desmond Swayne)—that is an odd experience, after so many years in the House with him. A number of Members have spoken about constituency issues relating to the changes to the code in 2017, including the hon. Members for North Dorset (Simon Hoare) and for St Albans (Daisy Cooper). It is a good job I am a Welsh MP, because the hon. Members for Ceredigion (Ben Lake) and for Carmarthen East and Dinefwr (Jonathan Edwards) have also done so. I pay particular tribute to the hon. Member for Stroud (Siobhan Baillie), who spoke honestly about what many community groups, farmers, landowners, churches and many other organisations across her constituency are facing, and I agree with her.
We are asking the Government for a review, for it to be fair and for it to provide assurance to those organisations, many of which were the backbone of supporting communities up and down the land during the pandemic, whether through feeding us, taking us in collective worship or offering support to our children and young people. These community organisations deserve our support and we need to ask the Government to follow through on their commitment to undertake a review this year, which was part of the original commitment from a number of years ago. I pay tribute to the hon. Lady for saying that.
On part 2 and the current state of our country’s telecommunications infrastructure, we do have some concerns, as set out by my hon. Friend the Member for Manchester Central (Lucy Powell), the shadow Secretary of State. Having inherited a world-leading position from the last Labour Government, since 2010 the Conservatives have cultivated a culture of missed targets, stunted ambition, and ultimately, stagnation when it comes to our telecommunications infrastructure. The last Labour Government recognised the central role that connectivity would play in the economy of the future, and rightly placed the issue front and centre. As a result, we delivered first-generation broadband to about 13 million UK households by 2009, which shows that large digital infrastructure projects can be delivered at breakneck speed.
To put it simply, we had a vision that we made a reality. Ambitions can be delivered at this sort of speed only when there is real effort, action and long-term planning on behalf of Ministers. Unfortunately, we are not getting that from the current Administration. As has become the norm with this Government, bold and exciting-sounding targets are made in public, only to be quietly watered down at a later stage. The Prime Minister came into office promising full-fibre broadband “by 2025”. His Government then realised that they were not going to be able to deliver it, so they reduced the target to full gigabit broadband by 2025. Realising they also could not deliver that, they landed at the current target of 85% gigabit broadband by 2025. Several bodies, including the Public Accounts Committee, the Select Committee on Digital, Culture, Media and Sport, and many industry experts, now doubt that the Government are even going to achieve that. Dither, delay, disappointment—this has become the norm under this Conservative Government.
The primary concern is that this Bill fails to address the fundamental flaws introduced in the ECC. The code did not receive the necessary scrutiny, resulting in an imbalance between mobile operators and property owners. The Law Society’s analysis makes it clear that the Bill fails to address fundamental flaws in the code that are holding back the roll-out across the country. We are now concerned that the measures in this Bill may slow the 5G roll-out further by disincentivising small building owners and landowners, such as churches, community groups, sports clubs and farmers, from hosting phone masts.
This all began when the Government introduced the ECC in 2017, permitting telecoms firms to renegotiate rents for phone masts down by as much as 90%. Despite promising that the reductions in rent would, in reality, be no more than 40%, this has not held true and the rent reductions have far exceeded that figure. It was deeply disappointing to hear the Secretary of State say to the right hon. Member for New Forest West that there will be no review, despite there being promises to the contrary—yet another broken promise to the people of this country.
The Government have created a framework that allows telecoms companies to dramatically reduce their costs at the expense of businesses, sports clubs, farmers, small landowners and community organisations. I know the Minister will have heard at first hand from a number of organisations across the country that rely on this small but crucial source of income. It is therefore of the utmost importance that the Government review the Bill to make rental valuations for telecoms masts fairer.
We heard from the hon. Member for Stroud about the David and Goliath issue of a big telecoms company versus a church, sports club or scout hut. It surely cannot be in the Conservative Government’s interest simply to ignore all the groups across the country that are in desperate need of the regular income that has been ripped away from them for reasons they still do not really understand.
I finish with a couple of questions for the Minister. Will the Government stand by their 2017 commitment that rent reductions should be no more than an absolute maximum of 40%? Will she look to make a statement, or at least issue guidance, to establish a clear expectation of land valuation that removes the impasse between telecoms companies and site owners? Finally, will she commit to looking at the evidence base and undertake a full economic review of the code by the end of 2022, as was promised during the passage of the previous Bill?
The Opposition want to ensure that every community across the UK has the very best opportunities when it comes to connectivity, whether it be in people’s homes or to allow small businesses to start up right across the United Kingdom. We want the Government to share in that ambition and to keep their promise to deliver improved digital infrastructure. We ask the Minister to step up and deliver these much-needed improvements across the UK.
Online Harms Consultation
Ruth Edwards Excerpts(3 years, 4 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Oliver Dowden
The hon. Lady has hit on exactly the essence of the problem and what we have sought to do through the legislation. The reason we are imposing a duty of care is precisely because we know that such things evolve over time and that each company needs to take appropriate steps. Clearly, we cannot individually identify every single harm or every single action. Instead, we are setting it out as a duty of care to ensure that flexibility.
Ruth Edwards (Rushcliffe) (Con) [V]
I welcome the new regulations and my right hon. Friend’s reassurance that smaller businesses and new entrants to the market will not be disadvantaged. Can he tell me what criteria will be used to determine when a business meets the threshold for the new regulations to apply?
Oliver Dowden
My hon. Friend is entirely correct to raise that point. Essentially, the criteria will be if the purpose of the website is not in any way related to user-generated content, but that is just a small by-product. I used the example—it might be seen as slightly frivolous, but it is a way to illustrate it—of the online cheese retailer. Many small businesses, which are essentially retail or other activities, may allow reviews and so on. It is perfectly reasonable that we should say from the start that they are not subject to it. In practice, they would not be anyway because they will not fall within the codes of conduct. It is my experience with regulation that the more we can exclude from the beginning, the better, because it removes that worry, which frequently comes from small businesses that have one or two people, not massive compliance departments that can deal with it.
BBC Regional Politics Coverage
Ruth Edwards Excerpts(3 years, 10 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Neil Parish
The hon. Lady is echoing so much of what has been said in this debate. The message we need to send to the BBC is that we not only want the regional BBC to be saved—we want it to be broadened and made even more local in this digital age.
We have all got much more used—certainly I have got much more used—to using the computer for the Zoom, the Microsoft Teams and all these things, and being able to link in wherever. We sometimes almost spend too much time on creating the best-quality television—not the quality of the programme but the quality of the production and the science behind it—rather than making it as broad as possible. If there is anything we can learn from this epidemic, it is that we can probably widen things by doing more Zoom stuff and getting people in from all over the place—we can do that much quicker and more easily and get a better message. Quite a lot could be learned. I hope the BBC is listening to this debate and that by the time we finish, it will be open to many more ideas than it was before we started.
Ruth Edwards (Rushcliffe) (Con)
I thank my hon. Friend and congratulate him on securing this Adjournment debate. Does he agree that programmes such as “Inside Out” are incredibly cost-effective? I understand that it costs about £6 million a year for all 11 regions that it covers, which, to me, indicates great value for money. The BBC’s charter says that the BBC should reflect, represent and serve the diverse communities of all the United Kingdom’s nations and regions, and that it should offer a range and depth of analysis and content that is not widely available from other UK news providers. This is a point that so many hon. Members have made here tonight. If regional news and current affairs are not an essential part of any offering from a public service broadcaster, then what is? Surely, when looking at making savings, cutting investment in these programmes should be the last thing on the list rather than the first.
Huawei and 5G
Ruth Edwards Excerpts(4 years, 1 month ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Ruth Edwards (Rushcliffe) (Con)
I start by declaring an interest: I used to work for BT’s cyber-security team before I was elected. I have spent 10 years working in the cyber-security industry, and I refer the House to my entry in the Register of Members’ Financial Interests.
The security of our telecoms network is vital as we move towards an ever more connected society and economy. It does not, however, rest on the presence or absence of equipment from any single supplier. Strong cyber-security for any system, including our telecoms networks, is determined by: the security architecture principles that have been followed in its design; how the system is managed in-life, including the security controls and monitoring around it; the contingency planning that has taken place, which enables any risks that materialise to be dealt with effectively; and the testing of that contingency planning.
I will address each of those briefly, but the key thing I wish to emphasise is that there is no risk-free option. Regardless of the equipment used, our telecoms networks, Government bodies, businesses and critical national infrastructure operators will always be targets for nation states, aggressors, criminals and hackers. The key thing is to manage the risk and reduce it to an acceptable level. That is what, in my view, the telecoms security requirements achieve.
Bob Seely
I am sorry to interrupt; I know that time is short. Is my hon. Friend saying that there is no implication for 5G security, never mind the geopolitics and politics, of having a high-risk, untrusted vendor from a potentially adversarial state in the system? Is it not like giving the burglar the keys to our house, while pretending that we have a safe that is safe?
Ruth Edwards
For a start, there are no trusted vendors. Most companies operate a zero-trust policy when it comes to all cyber-security vendors. Secondly, the key point is how we manage that risk. I will go on to answer the question in a bit more detail, if my hon. Friend will bear with me.
The TSRs establish a baseline for security in telecoms, and put it on a statutory footing. They prohibit the use of high-risk vendors in sensitive functions of the network, and cap the use of such vendors at 35% across the network as a whole. As a result of their implementation, we will have some of the most secure networks in the world. The TSRs provide a clear and exhaustive list of sensitive functions related to the control, orchestration and virtualisation of our networks where high-risk vendors cannot be used. They will not be used in the intelligence or control planes of the network, and therefore will not interact with customer traffic in a detailed manner. Any impact of failure will also have a limited, localised geographical reach.
Many understandable concerns have been raised that moving to 5G networks will somehow merge those sensitive functions, often referred to as core functions, with less sensitive parts of the network in which equipment from high-risk vendors will be used. Moving to 5G network technologies could enable us to move sensitive functions out to the edge of the network, but “could” does not mean “should”. Were we to do so, using a high-risk vendor would be the least of our problems.
The further restrictions of only one high-risk vendor in the network and the hard cap of 35% further enhance the security standards. Security architecture principles are not a desperate measure to enable us to use a high-risk vendor; they are part of every network deployment everywhere, whether it is a telecoms network at national level or a business network at company level. More sensitive information and functions with higher risk are treated differently from those with lower risk. A blanket approach of doing away with all higher-risk vendors or technologies would mean that we could not use emerging technologies that offer so much benefit when deployed appropriately.
Today’s motion specifically references Huawei. The UK has globally leading insight into Huawei’s operations, processes and products through the Government-chaired Huawei cyber-security evaluation centre. Whoever the vendor is, any responsible telecoms provider will fully test all hardware and software before deploying it into their networks.
Bob Seely
Is that not the problem? So much of our kit is not being tested, which is why we need a fuller security audit. Also, the Cell is becoming increasingly concerned about Huawei, saying that Huawei is not delivering the improvements that the Cell needs. The Cell highlights those concerns in its reports.
Ruth Edwards
I thank my hon. Friend for that point. There are engineering problems in Huawei, and the Government and many UK customers have been very clear that they want Huawei to solve them. The news that I must give him is that if he started looking at the code of any supplier, he would see security issues. In security engineering, I am afraid that people make mistakes when it comes to software.
Equipment and performance is monitored in-life by telcos, and threat hunting is carried out across the whole network. Technologies are increasingly powered by artificial intelligence. AI look for anomalies of behaviour both inside the network, in terms of patterns of incoming traffic, and suspicious outbound traffic. Attempts to sabotage equipment or exfiltrate data at scale will be detected.
The National Cyber Security Centre, my former employer BT and many other telcos have all been very clear that they have not previously detected attempts at malicious activity by Huawei. If they had, they would hardly be doing business with them for their 5G networks. However, we cannot rely on the past to determine the future. That is why the cap on the amount of equipment provided by one supplier is so important, as it stops an over-reliance on one supplier in the network. Other arrangements, such as the escrow of source code, enable providers to isolate equipment in their networks and take over full operation of it, should that be deemed necessary due to mounting international tensions.
