Good afternoon. We will now hear oral evidence from Rocio Concha, director of policy and advocacy at Which? and Jessica Eagleton, senior policy and public affairs officer at Refuge. We have until 5 o’clock for this session if needed, but as we have started ahead of time I am sure that nobody will mind if we finish ahead of time. Please could the witnesses introduce themselves for the record? Then I will turn to the Minister to ask the first question.
I am Rocio Concha, director of policy and advocacy and chief economist at the consumer group, Which? Thank you for the invitation to provide evidence. The Bill is quite important for consumers. We have been very supportive of the work that DCMS has done in the Bill. That is very good, and I hope that I will have the opportunity to explain how the Bill can be improved to achieve its objectives.
Good afternoon, everyone. Thank you for inviting me to give evidence. I am Jess Eagleton, senior policy and public affairs officer at Refuge, which is the country’s largest specialist provider of gender-based violence services. We provide a host of services including refuges, community outreach and a specialist tech abuse team. I am here today to speak to you about technology-facilitated domestic abuse.
Q Thank you both for attending. As a Minister, I am concerned about the general lack of awareness of the risks and vulnerabilities when it comes to internet of things devices. To what extent do you believe that the legislation will help to stimulate a consumer discussion about how we best protect ourselves against some of the threats that are emerging as the technology develops? It would be helpful, Ms Eagleton, if you could set out your own interests in terms of Refuge and the vulnerabilities that have been highlighted in your work when it comes to the impact that an insecure connected device can have on an individual.
Of course. The first thing to say is that we are seeing technology-facilitated domestic abuse becoming ever more prevailing. Technology in all its varieties is providing domestic abusers with a host of new means and methods to perpetrate abuse—to monitor survivors, track their whereabouts, harass them and stalk them—so much so that, as I said, we set up a tech abuse specialist team a couple of years ago. Of the women and children who we supported last year, 59% said that they experienced abuse involving technology, so we are seeing a growing threat.
The specific devices that we are talking about, which are covered by part 1 of the Bill, offer a whole host of ways for abusers to abuse. I am thinking about home security cameras and home security devices such as doorbells, which provide almost 24/7 oversight of a survivor’s movements in the home. Camera and microphone functions can be used to listen in on survivors and capture intimate images without consent, which can then be used later to threaten and coerce the survivor. There are also things such as smart plugs and smart thermostats, which can be remotely accessed and used to frighten survivors—for example, by turning alarm systems on, or putting blaring music on, in the middle of the night. That is happening in the relationship and after it as well, so we are seeing remote access being used in that way.
Some of our concerns about devices relate to access. Thinking about the power imbalance in a domestic abuse relationship, it is the perpetrator who often sets up such devices. They have the password and full admin access, which means that the survivor therefore has limited ways to access a device. We have had some difficulty when talking to companies to try to support survivors to take back control of devices, particularly once a relationship has ended and a survivor has fled. Where they have devices in their home to which the perpetrator still has full admin access, it is particularly difficult to get companies to override that. That is something that we would welcome further work on, in terms of companies taking steps to support survivors to make changes to settings.
Your question was on whether the Bill will help consumers to understand these issues, and it will. As you know, one of the principles in the Bill is transparency—when you buy these products, you will know for how long they will be supported. That will help with awareness. There is a lot more that can be done to raise awareness of these issues. There is a limit on what consumers will know about how to protect themselves, so the direction in the Bill about banning default passwords is quite important, as is the point of contact for security vulnerabilities.
Jessica has explained very clearly the harms. There is an opportunity for the Bill to be more assertive. At the moment, the Bill says that the Secretary of State “may” include baseline security requirements. We know that these are not the right baseline security requirements, so the Bill should be clearer that they will be included. We also think that the Bill needs to list the three security requirements, which would give a clear steer to the industry that they are to be introduced. We are worried that the Bill as drafted could lead to more delays in introducing things.
If we want the Bill to achieve its objective, we must be careful to ensure that online marketplaces are within scope. I would argue that they have to be because, as a consumer, it makes no difference whether you buy your smart product on the high street or from Amazon, eBay or AliExpress; you assume that the product is compliant with the regulations in the UK, so it is important that the Bill also covers that area. Otherwise, you know where the bad actors will go—they will be selling insecure products on those online platforms.
Q Do you have any view on the enforcement powers in the legislation? Do you think that they are sufficient to deal with non-compliance?
On enforceability, if you do not include online marketplaces, you are leaving a big gap, because these products can come from any country in the world when they are being sold in these online marketplaces.
Another area that is not clear in the Bill is how consumers can get redress. As part of the transparency requirement, suppose that you buy a product that says that it will be supported with security updates for four years, but two years down the line, the manufacturer decides to change its mind and to support the product for only two years. Where would the consumer go in that instance? They bought the product on the basis that it would be supported for a set amount of years.
The other thing that is not clear is who the regulator enforcing this will be. Obviously, we need to make sure that the regulator has the skills, powers and resources to enforce it.
Q My first question, for Ms Eagleton, is on tech and some of the work that Refuge has done to highlight the fact that, as you said, 50% of all cases of violence against women and girls now involve some sort of device. What conversations are you having with the Government on funding and advertising to try to show that these devices have an impact? On new technology, such as AirTags, we have seen some very good pieces from journalists explaining how that is increasing the options for people to stalk, follow and track others, with terrible cases of people who have been victims of domestic abuses historically finding them in their cars. I am wondering how all that links into the work of the Bill, about areas where you would like to see improvements to acknowledge the fact that technology is moving so quickly, and whether we can do something in the Bill to introduce meaningful support for women and girls who are victims of violence.
Perhaps I can take your second question first. You are right that we are seeing concerns about these types of products being used to stalk and to monitor. In terms of concrete measures and what the Bill can do in this respect, we welcome some of the security requirements, particularly around the vulnerability disclosure scheme, as a step forward. For example, in the work that we do to support survivors, having that public point of contact and an easily contactable place for a company to go, when we are reviewing these products and putting forward recommendations to companies, is definitely a step forward.
We would have some concerns about situations where companies might publicly disclose security flaws and perhaps not take steps first to address them. We have that concern because that could, in essence, alert an abuser to a new way to abuse a victim. It could alert them to a device that they could purchase or that is already in their home that would provide a new way of compromising, so we would like to see companies taking all reasonable steps to address and action some of these security flaws before there is that public disclosure.
On your second point about services, our tech abuse team is a unique service in the country in providing specialist frontline support to tech abuse survivors, but it is a chronically under-resourced service. Perhaps in the context of this Bill, we would really like to see thought given to a percentage of the fines that the regulators collect for non-compliance by companies going, for example, to fund some specialist support services. I think that would fit within the wider ecosystem of enforcement as well. If we have specialist services that survivors can go to and ensure that they are sustainably funded and able to support survivors, that would contribute to the wider enforcement regime and awareness.
Q You mentioned the broader point of industry and manufacturer engagement, and situations where they announce that there is flaw but do not think about the consequence of announcing a way in which someone can hack a mobile phone, for example. Is it fair to say that the industry does not necessarily fully appreciate the impact its technology has on women who are victims of domestic abuse? What work is it doing already, without legislation, to acknowledge that its devices are playing a significantly greater part in impacting on people who are survivors or are being abused currently?
It is not always thought about that the devices can be used in this way. A lot of the focus of companies in this space has been on how to prevent devices from being compromised by unknown third parties—hackers from overseas, for instance—rather than in the context of domestic abuse. Thinking about things like passwords and default passwords is a welcome step, but in the kind of relationships that we are talking about and dealing with on a daily basis, the perpetrator will force the survivor to divulge the passwords to their devices and all their online accounts. That is not necessarily always thought about by these companies.
However, we are engaging with the companies as much as we can on what we are doing as a smallish team. Thinking through what can be done in future, it is about continuing to place emphasis on and put work into safety by design, which means ensuring that, from the get-go, product manufacturers and designers are thinking about how these products could be misused by domestic abusers. It also means working in collaboration with specialist violence against women and girls services to ensure that those features are designed out as far as possible.
Q I have a final question for Ms Concha on the online marketplaces, which do significant work in this area. In your view, how easy would it be to change the Bill to ensure that online marketplaces are part of it as well as manufacturers? The argument was made earlier that there most certainly is a responsibility on those who sell the product. Particularly if you are using, say, eBay, there is often limited interaction between the seller, the parent company and the person purchasing. Arguably, eBay as the organisation should take significant responsibility. I am keen to understand whether you think that is a relatively easy change for the Government to make to help close what you describe as a significant loophole in the Bill.
In terms of the Bill, an example could be to change or tighten the definition that you have of distributors. In terms of implementation, online marketplaces are the gateway between the consumers and the manufacturers of these products. They are the ones that have the power to make sure that these products comply with the law. Let me give you an example. We routinely do product tests to identify security vulnerabilities with these products. Often when we go to the online marketplaces, we get the answer that, because there is no regulation, they cannot take these products out.
We need the regulation to be clear that any smart product needs to comply with these baseline security requirements. Also, we need regulation to put responsibility on the online platforms to make sure that they are monitoring proactively which products are being sold on their platforms. That is key, and I feel that it is not optional. It is quite clear what is going to happen. There are bad actors out there, manufacturing products that are not going to comply with the baseline requirements. They know that there are not going to be the necessary checks in there by the online marketplaces, but the consumer does not know. It is impossible for the consumer to make an assessment of whether the product will be secure or not. Unless we put in regulation, you can see where all these bad actors are going to go.
Good afternoon to you both. It is clear that in the Bill the onus is on the manufacturers to meet the product security and safety requirements. Clearly, consumers also need to be aware of security threats both within the context of domestic abuse and otherwise. Should the Government be giving guidance to consumers? I do not know what the current situation is, but is it the role of the Government to give guidance to consumersQ ?
I personally think that yes, the Government should provide information to consumers so that they are aware of this. Organisations such as ours also play a role, and we play it. We continuously publish our findings on security vulnerabilities and the sorts of things that consumers can do to protect themselves. There is a need for more information for consumers in general so that they can be aware that when they put these products in their homes, unless they take certain steps and buy products that meet the regulations that we hope will soon be introduced, they are putting themselves at risk.
I would agree with what my fellow panellist has said. When we think about tech abuse, we see that awareness of it is quite low among the general public. In fact, in a survey we ran last year the results were that two thirds of women did not know where to go for information if they thought that a device in their home was compromised. There is a role there for that awareness piece. At Refuge, the approach we tend to take is to empower survivors to use technology safely and to take back control of their products and technology. We have developed a range of resources to do that, but we would welcome more work and more efforts on this more widely.
The national domestic abuse helpline is the gateway to a wide range of domestic abuse services across the country. If she phoned the national domestic abuse helpline, we would be able to help her there, and help her with safety planning and next steps. We have some resources on our website and have recently developed a home safety tool that talks you through various devices in the home and gives tips on how to secure them.
Q On the Which? side, Ms Concha, one of our earlier witnesses said that they thought it would be a good idea if the Bill were amended to establish in law a minimum time limit for which this type of device is supported. Is that something that Which? would support?
No, we have not, but we have provided amendments in other areas. We have provided an amendment to allow the Bill to introduce this through secondary legislation in the future, and there is an amendment there. We would be happy to discuss that in more detail.
Q Genuinely, do you think that it is a preferable outcome for the measure to be in secondary legislation so that it might be a little more flexible, rather than putting it on the face of the Bill?
It depends. On these baseline security requirements, we firmly believe that the Bill should list them and be very clear that they will be included. In terms of the minimum security periods you provide to different products, it will depend on the different products and we do not want to delay the legislation to get to the bottom of that. It would be preferable to allow that legislation to be introduced as secondary legislation.
Some of the most common devices we see reported to us include your smart home hubs, smart voice assistants, smart TVs, plugs, light switches and fitness trackers. Those are some of the most commonly misused. I myself have various different connected products at home.
Perpetrators quite often set up a host of different devices in the home. Recently, we supported a woman whose former partner had bought a whole host of devices, including smart cameras, a smart doorbell, a smart thermostat—all those kinds of things. She and her child felt like they were constantly being monitored; they talked about how exhausted they were by that constant surveillance.
Q You mentioned that people could report that sort of thing using a helpline, but are women concerned that, if they make a report using the internet on their computer or telephone, that might be detected by the abusive partner?
It is definitely a big consideration. That is why we advise that people get in touch with us and then we can help with safety planning. If a perpetrator has access to those devices and a survivor moves to take back control of them and change the settings, that can be detected by someone with that access. We would work with a survivor to safety-plan how to control her technology.
Q Ms Concha, you represent the consumer perspective. I wanted to ask about some concerns around labelling that were put to us this morning. In particular, Google mentioned that it has concerns about having a static label on the product because security information changes all the time—a product might be fine today, but it could discover a vulnerability about it tomorrow. It strikes me that we are dealing with a really wide range of security awareness, and ability to use and understand technology among consumers. Google suggested a sort of live label, such as a QR code, which could give the real-time security status. What do you think is the best way to communicate security information to consumers—such as the information in requirement 3, about the minimum time for which a product will receive security updates—bearing in mind the huge range of understanding and ability that we have in this area?
Is this about the length of time a product will be supported for? That information should be provided clearly at the point of sale, before you make a decision, so that you know you are going to buy something that may be supported for only two years, versus another product that may be supported for longer. That will hopefully provide everyone with the incentive to extend the number of years for which a product is supported.
We also need to make sure that that information is very clear. We should avoid “up to three years” and “for the lifetime of the product”, which do not really mean much for the consumer. For the consumer to be able to act on that information, it has to be very clear and easy to find when they are making that decision. That is what I would say.
On changing the security, I am a little worried about the industry saying that it may change the period during which a product will be supported. If that change is to extend that period—great; if it is to reduce it, that is very bad. At that point, the consumer has made a decision and bought a product because that product was going to be supported for longer.
If someone was told that a product would be supported for four years, and they later found out it was two years, that product would not be fit for purpose. Under the Consumer Rights Act, you have a right on the same grounds as the Consumer Protection Act 1987.
If there are no further questions from Committee members, that brings today’s sitting to a close. On behalf of the Committee, I thank the witnesses for their evidence this afternoon. The Committee will meet again on Thursday at 11.30 am in Committee Room 14 to begin line-by-line consideration of the Bill.