It is a pleasure to close this Second Reading debate. The first job of any Government is to keep their citizens safe, and I am glad that the security elements of the Bill were developed in conjunction with the National Cyber Security Centre and the Department. Her Majesty’s Opposition have the utmost confidence in our national security services, which go to such incredible lengths to keep us all safe in an increasingly difficult online world.
A number of speeches have been made by Members on both sides of the House, but let me deal first with what was said by my hon. Friends the Members for Ealing North (James Murray) and for Luton South (Rachel Hopkins), both of whom spoke about the notspots in their constituencies and the increasing problems with access to tech. People may have the “plumbing” that can provide a good standard of broadband, but they may not have, indeed may not be able to afford, the equipment that would give them access to it.
We in the Labour party put security at the heart of everything we do, and it is owing to that desire to see people in this country safe in cyber-space that we will not oppose the Bill. However, there are issues that we feel should be addressed in it, some of which have already been mentioned today.
The product security measures in part 1 contain proposals that Labour fully supports. They include a ban on devices that come with easy-to-guess passwords such as “default” and “admin”, and oblige firms to make such vulnerabilities public knowledge, with those failing to comply being threatened with large fines. That is especially prudent as it institutes common-sense rules for sellers to follow, and ensures that consumers are more engaged in cyber-security. Basic cyber-hygiene is paramount, and measures such as changing default passwords would do a great deal to improve devices’ security by, in theory, adding an additional layer of protection. However, we agree with many in the industry that certain measures could have gone further, and we will continue to hold the Government to account in the areas where we believe that to be the case.
While the pursuit of increased security on devices is laudable, there are concerns about the practicality of such changes. If each device is now legally bound to have a private password, who will be responsible for managing it? Given the plethora of smart devices that we all use, I am sure that we have all forgotten a password or two; I certainly have. If a device needed to be repaired and the user had forgotten the password, how would the specialist repairing the phone gain access? Many in the industry believe that that could potentially lead to a situation in which manufacturers might have to provide “super-user accounts” or “backdoor access”.
The Bill also introduces the mandating of manufacturers to tell consumers at the point of sale about the product’s lifespan and for how long it will receive security updates.
While we can all agree that more transparency is a good thing for customers, if security updates are available for a few years—as is the case with Android phones, for example—surely that will lead to built-in obsolescence, meaning, in this case, smart devices being excluded from key security updates after a relatively short lifespan.