Telecommunications (Security) Bill - Second Reading

Part of the debate – in the House of Lords at 3:42 pm on 29 June 2021.

Alert me about debates like this

Photo of Lord Vaux of Harrowden Lord Vaux of Harrowden Chair, Finance Committee (Lords), Chair, Finance Committee (Lords) 3:42, 29 June 2021

My Lords, it is a pleasure to follow the noble Baroness, Lady Stroud. I find myself in agreement with everything that she said.

Anything that improves the security of our tele- communications systems must be welcome, so I support this Bill, but I think it misses a golden opportunity. Telecommunications security covers a wide range of risks: from the resilience of the system to risks such as weather or power outages, through resilience to malicious attacks from hostile states or criminals, to the misuse of systems to access, alter or destroy data. From a consumer point of view, all those are really important, but the one security risk that impacts on people’s daily lives the most is the misuse of telecommunications networks and services by criminals and, apparently, by certain states, to facilitate fraud.

I explained during Second Reading of the Online Safety Bill that fraud is so widespread because it is easy, and it is easy because there is no incentive for a whole range of service providers to take the necessary steps to stop it. Those service providers include the search engines and social media companies, web-hosting companies, banks and more, but the list also includes telecommunications companies, which in effect facilitate fraud through three key weaknesses.

First, the most serious weakness is when a criminal is able to convince the service provider to transfer someone’s phone number so that they can control it. This is known as sim-swap fraud, which gives the criminal complete access to the victim’s emails, bank accounts, one-time passwords, contacts and so on. Indeed, with the ever-growing list of things that we can access and control from our phones, it could also give access to our front-door locks, our burglar alarms, our cars, which can now be unlocked and started by phone, and more. In fact, imagine the possibilities for criminals once we have genuinely self-driving cars all connected by 5G.

The second security weakness that telecommunications companies are allowing is the falsifying of caller IDs, when a criminal is able to appear to be calling or texting from a legitimate number, such as a bank or HMRC. As a result, the victim, believing the call to be genuine, is persuaded to provide bank details or transfer money.

The third security issue is allowing criminals to send out bulk malicious texts and calls using the networks, often in conjunction with false caller IDs. We are all bombarded with these all the time. I received one that I had not heard before just this morning; apparently, my national insurance number is being used for criminal purposes, and I must call the number or I shall have my assets seized and be arrested—so there we go. The calls can lead to fraud being perpetrated, and texts can include links that result in malware being loaded on to the victim’s phone, which allows access to emails and bank accounts. As well as fraud, they cause very real anxiety, yet we seem to have to accept them as an irritant of modern life. I probably receive more fraud calls than genuine ones, which might be a reflection on my social life. I have not been able to find any reliable statistics, but it seems that at least a material proportion of all calls and texts made over the networks are fraudulent.

This Bill seems to be a perfect opportunity to try to make life harder for the criminals who are exploiting mobile phone networks and services to perpetrate fraud. The best way in which to do this is to provide a real incentive for the telecommunications providers to prevent it; they should be liable for the penalties—although I hesitate to use that word, given what is happening in an hour or so—and for the losses incurred as a result of allowing the service to be misused, unless they have taken reasonable action to prevent it. At the moment, it is arguably in the telecommunications companies’ interests to allow the activities to continue, as they are being paid by the criminals for all the calls and texts.

Reading the Bill, I find myself unsure as to whether it covers these types of risks or not. I understand from a letter that I received from the Minister earlier today that it is not intended to, although I think that it could with not much change. Her letter, for which I am grateful, only refers to the issue of fraudulent calls and texts; it does not cover the other risks that I have mentioned. Clause 1 introduces a duty on communications networks and service providers to take measures to identify and reduce the risks of security compromises occurring. It then goes on to define what a security compromise is, with a pretty wide range of definitions. Among them, new subsection (2)(f) refers to

“anything that occurs in connection with the network or service and causes any data stored by electronic means to be … lost … unintentionally altered; or … altered otherwise than by or with the permission of the person holding the data”.

As far as I can see, nothing in the Bill limits security compromise to those that come from hostile states, and that is a good thing, since security compromise could well come from criminals. The risks that I have described do occur in connection with the network or the service, and they may cause electronically stored data to be lost or altered. So on my first reading, it appears that the risks that I have described may be covered or could easily be covered in the Bill if a suitable code of practice was issued.

In passing, on that subject, I share the concerns raised by the Delegated Powers and Regulatory Reform Committee that the codes of practice will not be subject to meaningful parliamentary scrutiny.

If the security risks that I have described are not intended to be covered by the Bill, we are missing a golden opportunity to make it harder for criminals to use our communications networks and services to perpetrate fraud on consumers. The Government are planning to produce a fraud action plan, but not until after the spending review. In the meantime, people will continue to lose their money, with all the mental and personal impacts that brings. It may not currently be intended to do this, but this Bill with very little change could be used to cut off one of the major facilitators of fraud with very little delay. Would the Minister be willing to consider how the Bill could be amended to meet that goal, and would she be willing to meet to discuss what actions we can take to safeguard users of the services from criminal misuse of telecommunications networks or services?