My Lords, I am happy to move Amendment 2 in this group and will speak also to Amendment 4. I am grateful to the noble Lord, Lord Fox, for signing up to our Amendment 2. Part 1, as we have said, represents a step in the right direction on product security. The Bill is, as is increasingly the case with this Administration, a general framework Bill which will have much of the detail filled in later by regulations—a point that the noble Lord, Lord Fox, among others, has persistently made, and we have made from our Benches.
Noble Lords might say that Amendment 2 is a rather crude way of discussing the processes and timescales attached to the regulation-making powers in this part of the Bill but, as was mentioned in the previous group, we need much more information about when these regulations are going to be brought forward. Have some already been drafted? If so, can we see them in advance of Report and certainly before Third Reading? If not, why not? Do any of them need to be consulted on, and if so, what implications will this have on the implementation of new rules and systems? This is, as we have heard before, a time-critical Bill so the regulations are time critical as well and, we argue, need an early airing.
Colleagues in the Commons expressed concern that it has taken too long to get to this stage. We, too, regret that the Government have not worked to introduce some of these measures at greater speed and that more of the detail is not in the legislation, a point which the noble Lord, Lord Fox, eloquently made earlier. Surely it would have been possible to do this, given that the Bill was carried over from the previous Session.
Turning to Amendment 4, it
“seeks to place certain product security minimum standards, including the prohibition of so-called ‘default” passwords, on the face of the Bill.”
We think this is an important amendment. I credit Which? as where it draws its inspiration from. It is right that we have some core security principles in the Bill. We know that the Government have form on overpromising and underdelivering. Surely these important security matters should not be left to the whim of the Secretary of State at an undetermined point in the future. This process provides a perfectly good opportunity for us to enshrine the requirements in primary legislation, whether in the form of Amendment 4 or Amendment 5 or something else. We believe that there is a strong case for action
One of the core concerns of consumer organisations —we are very grateful to them for their briefings and support—and, in the current economic context, of shoppers across the country, is whether security updates will be provided across the product’s lifespan. Many devices stop receiving security updates long before any reasonable person would expect to replace them. This leaves people facing the option of shelling out more money again for a secure replacement or retaining a device which is at higher risk of some form of attack or has a fundamental security flaw. Amendment 4 would at least require manufacturers to provide clear information on the availability of security updates, while Amendment 5, tabled in the names of the noble Lords, Lord Fox and Lord Clement-Jones, would go further and require mandatory minimums to be specified in regulations.
I will not go into detail about Amendment 3 but welcome its focus on children. I am sure that we will have many debates about child safety on the forthcoming Online Safety Bill, but Amendment 3 asks a legitimate question of the Minister, and we look forward to his response. I beg to move.
My Lords, I will speak to Amendments 3 and 5 and in support of the other two amendments in this group. All these amendments refer to Clause 1 and seek to add some specificity to its general nature. The first amendment in my name and that of my noble friend Lord Clement-Jones is Amendment 3. This inserts a new paragraph (c) into Clause 1(1), adding the text
“children where they are not primary users of products but are subjects of product use”.
Why is this necessary? Here I am indebted to a report on cybersecurity, the UK Code of Practice for Consumer IoT Security produced by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Noble Lords may be aware of this group; it has a very strong record in this area. It is a consortium of leading UK universities dedicated to understanding the critical issues of the privacy, ethics, trust, reliability, acceptability and security of IoT. I commend this organisation to the small number of noble Lords in this Chamber interested in this area.
This report highlighted, among other things, the importance of children’s connected toys receiving the necessary scrutiny, due to the implications of embedded cameras and microphones, with the aim of ensuring the child’s and the parents’ protection and right to privacy. Such devices include a wide range of everyday artefacts with internet connectivity intended for use by children or in caring for them, such as interactive toys, learning development devices and baby or child monitors.
These connected toys and tools have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy & Hobby Association has responded by offering a range of guidance notes and by interpreting the code of practice, but with SMEs manufacturing most of these devices, there is much more to be done to ensure that those organisations are sufficiently informed and equipped to produce and market toys that are secure.
Security is not straightforward, as the Minister has already pointed out. While these devices offer a range of advantages through their connectivity, they also potentially expose children and their families to risks that have not yet been fully articulated to many of the consumers who are buying these toys.
A real-life example is that the toy giant Mattel launched Hello Barbie. The Minister may be familiar with it—I do not know. This was as far back as 2015. It was a very innovative toy which it launched with a start-up business called ToyTalk. The principle of this toy was that it could converse using internet connectivity with speech recognition, so as well as talking it could listen. Hello Barbie also allowed parents to log in later and eavesdrop on their children’s conversations with their toys. I will leave your Lordships to decide the ethics of that.
But this connectivity raised some concerns, primarily around who could listen in and record these devices and store conversations and behavioural and location data, and for what purpose this data could be used. Toys like these are now prevalent and they raise significant questions about the appropriate support and guidance for the toy manufacturers, which understand an awful lot about conventional safety—they know how to make physically safe toys—but do not have a track record on developing informationally and data-safe toys because they have never been asked to do that before. This is a new venture for them, and it requires a totally new set of skills and standards, as the Minister might say.
As technology evolves hacking is increasing in sophistication, so it is necessary to keep moving forward. The challenge for cybersecurity in remaining ahead of the risks is inevitably a technological one, and the Minister may remember that the Hello Barbie toy, having been launched and lauded for its security, was ultimately found at some point to have serious security issues. Even that toy, from a very large manufacturer, fell foul of the progress of information crime.
Nevertheless, it is clear that today some toy manufacturers are releasing connected toys without adequate safety and security features. This is a competitive and dynamic marketplace—a lot of it is to do with price—and first movers are rewarded. In addition, the skillset and knowledge base, as I have just said, for conventional toy safety is mismatched with these new toys and we need to find a way of addressing that divergence. This is going to require investment and new learning and will not happen unless the toy manufacturers are required to do it.
Secure software development and cybersecurity are novel demands on this sector. However, the fact remains that these toy manufacturers are potentially placing consumer safety and privacy at risk. It does not matter whether this occurs due to the immaturity of the sector, market pressures or the lack of sectoral attention to the problem.
In the view of the Petras report,
“there are no indications that this will be addressed through market forces. Instead, the certainty of legislation to maintain standards would level the playing field and make clear for SMEs where they need to invest to make their toys market ready.”
Thus, more than the technological challenge of staying ahead of hackers, what is salient here are the challenges to the implementation of basic security features in manufacturing such as basic authentication and encryption, without which children’s safety and security is at risk.
This amendment explicitly places child security front and centre in this Bill. In other legislation involving the internet and digital issues, such as the Online Safety Bill, the Government have imposed more onerous duties on those delivering services to children than to adults. This amendment would be entirely consistent with that approach—very much in the spirit of understanding that our children and young people are more vulnerable and therefore need more protection from harms.
I turn next to Amendment 5. The eagle-eyed among your Lordships will spot that it is very similar to Amendment 4, proposed by the noble Baroness, Lady Merron, and set out very elegantly by the noble Lord, Lord Bassam. In fact, I would suggest that, largely, its construction is better than ours because they managed to do the same thing in fewer words. I will speak to Amendment 5 but my comments apply to Amendment 4 as well.
Amendment 5 seeks to ensure that:
“Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 … and in any other such assessments and procedures applicable to relevant connectable products.”
I am speaking to the spirit of both these amendments. Amendment 5—similar to that of the noble Lord, Lord Bassam—follows on from the advice and help of Which? I thank that organisation, which has really been at the forefront of the consumer issues involved. In essence, the amendment picks up on three of the issues that the Minister tells us will be dealt with in SIs as soon as the Bill becomes an Act, but it takes the rather stronger approach of placing them in the Bill.
Paragraph (a) of proposed new subsection (2A) goes further than the general principle in specifying that passwords are not to be weak. As Which? explains, many smart products push the user to create a password themselves, rather than use a default password. However, they then allow weak and easily guessable passwords to be created, meaning that the risk of compromise stays high.
One of the outcomes of this amendment would be the introduction of a requirement for responsible password policy guidance to be adopted by the industry to ensure that security liability is not simply passed from the device manufacturer to the consumer. The Bill and associated guidance should be amended to clarify that every individual device must have a unique or user-set password that meets effective complexity requirements.
Paragraph (b) of proposed new subsection (2A) seeks to avoid the risk of disclosures going into a black hole or taking many years to fix. The Bill and associated guidance should be amended to make clear what is required of manufacturers, importers and distributors on provision of disclosure policy information, particularly around vulnerabilities. The appointed regulator should also clearly define and distribute a risk assessment framework for vulnerabilities that removes any sense of subjectivity and ensures that the response is effectively mandated.
Paragraphs (c) and (d) of our proposed new subsection concern the length of time a product is supported. The Government should introduce mandatory minimum support periods for smart products and consider whether these periods should reflect how long consumers, on average, continue to use such products. There is a precedent here. New ecodesign and energy labelling requirements came into force in England, Scotland and Wales in 2021. They include a requirement for electronic display items, including televisions, to be provided with firmware and security update support for a minimum of eight years after the last unit of a model has been placed on the market. A consistent approach to support periods for a range of products therefore needs to be considered, and it has already been considered in this other legislation.
Customers need absolute clarity on the support period manufacturers will offer, so that they are able to make more informed purchasing decisions. There must be a clear definition of what the “point of sale” means and how this relates to the definitions of “supply” in Clause 55. Without clearer specifications on what form the transparency requirements will take, there is a risk that this information could be hidden, obfuscated or even mislead. This amendment is designed to probe the Government’s thinking on these very important issues.
Finally, and very briefly, as a signatory to Amendment 2, I give it my full support.
I am very grateful to noble Lords for setting out the cases for Amendments 2, 4 and 5. Since January 2020 the Government have been clear on introducing security requirements based on the three guidelines to which I referred in the previous group.
The commitment to set requirements has been made in response to consultations, published strategies and indeed to the Explanatory Notes to this Bill. Our notification to the World Trade Organization also contained reference to some of these documents. We have put manufacturers, trade bodies and industry representatives on notice. Supply chains are long and surprises unwelcome, so the Government have been very clear on whither we are heading.
Amendment 2 would remove any discretion the Secretary of State has to make regulations. I appreciate that the intention behind tabling it is to explore this issue, and I hope I can assure noble Lords that it is not needed. The regulations will be made, and swiftly. Indeed, we have already consulted on them, in 2020, which I hope gives noble Lords some reassurance that we intend to move swiftly in this area.
Amendments 4 and 5 would insert specific security requirements into the Bill. As several noble Lords mentioned at Second Reading, it is important that technology regulation enables the Government to respond to changes in threat and technology, and to the regulatory landscape. That is precisely why the Bill does not contain details of the requirements that the Government have assured industry they will set out.
We are committed to providing businesses with the detailed technical information they require to comply with this regime in the security requirements that we set out in regulations, and to keeping that information up to date as technology evolves, but the rate of technological change is swift in connectable products and cybersecurity, as noble Lords have noted. Our requirements need to be able to respond and adapt to those changes. Obliging the Government to set out requirements framed using terminology that may seem appropriate today could limit the security benefits of such a requirement in future, impose impractical obligations on businesses, create new security threats or introduce barriers to innovation. Further, if we put some security requirements in the Bill now and additional requirements in secondary legislation in future, we would risk confusion.
Amendment 5 goes further still and would oblige the Government to mandate minimum security update periods for connectable products. There is, however, no consensus among industry experts on how long security updates ought to last. We have been clear with industry that we see timely security updates as an important mechanism for protecting consumers. That is why we will use this legislation to require manufacturers to make information clearly available on how long their products will receive these updates.
Perhaps the Minister should consult whoever drew up the legislation that managed to mandate that televisions should be updated for firmware and software for up to eight years after they have stopped being manufactured. Clearly, those people managed to find consensus among the industry—or decided to ignore consensus—and deliver something. If it can be done for electrical display devices, such as televisions, I do not see why it cannot be done here if there is a will to do it. However, I think the Minister is telling us that there is no will to do it.
The noble Lord referred to mandatory minimum support periods for electronic display items and the Ecodesign for Energy-Related Products and Energy Information Regulations 2021. It is not quite correct to say that those requirements are applicable. They ensure that the last available security update continues to be available for at least eight years after the last unit of a product has been placed on the market but the requirement does not ensure that manufacturers continue to provide new security updates over that period to ensure that the product remains secure in response to changing threats.
I did not say that those requirements are applicable; I implied that they are analogous. Frankly, the fact that there is some mandating of security support after the product has stopped being manufactured is a heck of a lot better than the situation for all the connectable devices we are currently talking about, where there is no requirement at the moment.
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
My Lords, this has been a useful and interesting exchange.
In my lordly world, “may” and “must” are sort of interchangeable; they were a useful peg on which to hang our discussion about the statutory instrument nature of this piece of legislation. I am somewhat reassured by what the Minister had to say about that, and acknowledge that some of the regulations were brought forward and consulted on at an earlier stage. However, we on this side of the House—I am sure that I speak for the noble Lord, Lord Fox, as well—want to see increased transparency throughout this process. So much of what is in front of us will be in secondary legislation; it is essential that we, the industry and the sector are properly consulted so that we understand exactly what we are dealing with. I make that plea at the outset.
I was pleased to hear what the Minister said about children as the primary users of particular products. I am glad that we have got beyond the “Peppa Pig” world that the Prime Minister occasionally occupies and are giving this issue proper, serious consideration. It certainly needs to be that way.
I am not entirely convinced by what the Minister said on Amendment 4. I look at our amendment; it is pretty basic, actually. It is hard to argue against setting out a particular prohibition in legislation. The ones that we have picked out for prohibition and restriction are quite important and essential. Of course, the Minister is right that those subjects will change and technology will overtake the words we use. We understand that point but we are trying to secure some basic minimum standards and protections here. Clearly, we will retreat with our amendment and give it some further thought before Report, but we may need some further persuasion on this. That said, I am quite happy to withdraw Amendment 2 and not move Amendment 4.
Amendment 2 withdrawn.
Amendments 3 to 5 not moved.
Clause 1 agreed.
Clause 2 agreed.
Clause 3: Power to deem compliance with security requirements