My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports
of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
1.30 pm
However, in its briefing—I think that the noble Lord, Lord Bassam, has the same one as me; we are very grateful for the briefings we have been given—Which? says, and I totally agree:
“The PSTI Act allows the Government to place requirements on manufacturers, importers, and distributors”—
those last four words are underlined—
“of smart products. However, only manufacturers are affected by these regulations, and only those manufacturers who sell directly to consumers will be required to present information about a product’s support period to consumers at the point of sale. As such, consumers shopping for smart products through popular online retailers like Currys, Argos and John Lewis are not guaranteed to have the opportunity to see and consider support period information”.
That in itself is not satisfactory.
Which? goes on to say:
“We are concerned this discrepancy also weakens the pro-competitive effect of the regulations. Our stakeholder engagement has shown that leading manufacturers were expecting to benefit from greater transparency of their security support policies to consumers, but as this may not be showcased in retail environments it risks reducing a competitive advantage for manufacturers with the most consumer friendly policies. Without retailers showcasing this information and enabling consumers to discern between products with stronger or weaker support policies, manufacturers may be disincentivised from investing in robust support policies in future”.
I emphasise that that is from Which?, the major consumer champion—in effect, the progenitor of the IoT provisions in the original Bill, now an Act. Of course, Which? has been pursuing this agenda for quite some time; one can imagine the disappointment among its members and staff at this turn of events. Is not the failure to include online marketplaces a betrayal of the consumer?
In addition to those more, if you like, strategic questions, I have some slightly more detailed ones for the Minister. I want to ask about the impact of changing standards, referred to in paragraph 7.13 of the Explanatory Memorandum. It says:
“Regulation 4 provides that, where the conditions in Schedule 2 are met, a manufacturer is to be treated as having complied with a particular security requirement. These conditions relate to compliance with equivalent provisions to each requirement in appropriate international standards taken from either the EN, or ISO IEC 29147”.
I understand that and think that it a very sensible approach, but what happens when the standards change? Will we come back here? Will we have an affirmative resolution to discuss the new standards? What provisions
are made when those standards change and what process will be undertaken to review what is needed by way of new regulations?
Paragraph 7.19 of the Explanatory Memorandum talks about the Schedule 3 exemptions. It uses the same language as the Minister did: for computers, there are “unique challenges”. Can the Minister unpack that? I understand nearly all the other exemptions but we need to understand a bit more about what these unique challenges are rather than just taking it as a matter of faith that the poor old computer manufacturers are in trouble.
Finally, if we are to adopt new technology of this kind, much of which is beneficial, public trust in this area is absolutely crucial. I cannot think of anywhere where the use of data is more important. This is one of the huge gaps here. Do we really expect the ICO to have the resources to be able to oversee the use of data? I am rung on almost a weekly basis by my energy supplier to be asked, “Why aren’t you installing a smart meter?” I am resisting doing so, partly because I am not quite sure what use that data will have and who it will be shared with. I recognise that smart meters are probably a great idea for an energy company but I am not entirely convinced that it is for my individual consumer benefit. It would be marvellous if we had better regulation in that area. To me, that emphasises how important public trust in this area is.
These are tiny footsteps towards gaining trust for IoT devices. I pay tribute to all the work that UCL did in this area of research about what is needed for IoT devices, but we still have quite a long way to go.