My Lords, I am grateful to the Minister, as ever, and to the noble Lord, Lord Clement-Jones, for his contribution. He had lots of questions, as ever, many the same as those we asked during the passage of the Bill.
The Product Security and Telecommunications Infrastructure Act creates a regime that has three purposes, which the Minister set out. They are to minimise default or easy-to-guess passwords, to maintain an awareness of security threats and publish contact information for use by consumers and owners, and to encourage greater transparency about how long the products covered by this legislation will receive security updates and support. I agree with the noble Lord, Lord Clement-Jones, that these are low-hanging fruit for regulation. We should look at this instrument as a small step in the right direction.
With that in our minds, we supported the PSTI Bill during its passage and, in common with other Members of the House, tabled and supported a number of amendments to go further than the Government wished.
The requirements being imposed on manufacturers are widely supported by consumer groups, although they are rightly very nervous and watchful of the direction in which the legislation takes us in terms of data. Questions are being asked about whether the standards are sufficient and what role, if any, distributors will have in improving consumer knowledge of security issues.
As discussed in a debate earlier this week, people’s habits with regard to data and the digital world have changed enormously over the past few years. This includes the rapid take-up of smart and connectable
devices, such as smart speakers, CCTV doorbells and so on. These products are highly desirable, and yet research has demonstrated that many contain significant security vulnerabilities and that consumers are generally not aware of the risks that they face.
A policy commitment was made back in January 2020 and the Bill was passed in December 2022, so why will the new regime come into force only by April next year? We understand the need for technical details to be worked through and for manufacturers to adjust their own systems, but could the Government not have moved more quickly than this? This is a fast-moving market, after all.
We supported the passage of the Bill and, as I said, worked with colleagues across the House to push the Government to be more ambitious about the regime’s scope and the security standards that should be met by manufacturers, but it seems that Ministers refused to raise the bar and continue to do so.
As the noble Lord, Lord Clement-Jones, said, Which? and others have noted that, while the Act allows the Government to place requirements on manufacturers, importers and distributors, these regulations cover only manufacturers. Is the hope that distributors and retailers will pass security information on to consumers voluntarily or is the department looking at other tailored requirements for them? If the latter, how long might this take? Perhaps the Minister could elucidate that.
It seems that every day we hear of another major hack or data breach. Some are used to defraud victims, while others harness networks of smart devices to launch attacks on major websites. Sadly, these dangers are likely only to grow, as we discovered in recent weeks, so it is vital that the Government keep their foot on the gas on these issues, rather than passing these regulations and considering them job done. There is much more to do.
Like the noble Lord, Lord Clement-Jones, I draw attention to the Which? briefing paper, reflected in a Guardian article today, which suggests that manufacturers may be using these devices to collect more data than the legislation seemingly enables, which is shocking. Asking for postcodes and date-of-birth data seems outwith the manufacturers’ immediate needs. Can the Minister throw some light on this issue? What are the Government’s intentions regarding it and how do they intend to address it? These issues of data retention and use are serious. They affect consumer behaviour, confidence and trust, and trust is a terribly important commodity in today’s world. I hope the Minister can answer those questions.
I am rather with the noble Lord, Lord Clement-Jones, on smart meters. We have one; it is a scary device, and it has become scarier in the last year as the bills have gone up. I am not sure of its value but my wife tells me it is an invaluable tool. I hope that is the case, that we can get better and more confident about the data that these things produce, and that they are in the service of the consumer rather than of the manufacturer, because that is really where we should be coming from.