It is worth saying from the start that this Bill certainly takes aim at some of the key gaps in how we regulate product security, so I am genuinely grateful that the Minister is seeking to address some of the issues that have been raised. I put on record my thanks to my hon. Friend the Member for Ochil and South Perthshire (John Nicolson) for leading on Second Reading and in Committee, as well as for getting the phrase “malevolent toaster” into Hansard.
I have warned the Chamber a number of times about the various threats from technology and online spaces. For instance, I have campaigned for tougher action against so-called cyber-troops—organised malevolent forces that weaponise misinformation against our democracy. I definitely think that there has been major progress in building public awareness about the importance of cyber-security, and the experience of the botched Brexit referendum and Trump’s time in the White House was a crash course in taking online safety seriously.
However, we do remain a bit behind when it comes to the so-called internet of things, which encompasses the many household objects we now connect to the internet, from security systems to smart fridges and, indeed, toasters. This is a real Achilles heel. Last year, there was a total of 1.5 billion attacks on the internet of things—up 100% in the first half of the year. When Which? set up a fake smart home, it found that it was exposed to 12,000 attacks a week, yet our slowness in recognising that threat has got us to a place where only one in five “internet of things” manufacturers are believed to embed strong security in their devices.
Discussions around the Online Safety Bill have shown as clear as day that many companies, and especially those in the big tech sector, need to be dragged kicking and screaming to implement the bare minimum level of safety for users, whether that is to age-regulate graphic content or to stop scammers. Of course, there are some exceptions, but in any such situation where the private sector prioritises profit over protection, the Government need to step up to protect users with at least a bare minimum level of safety. The Government’s decision to do so by enshrining the principle of security design is therefore very welcome on the SNP Benches.
It is also absolutely right that we embed the idea in the law that the onus should be on the manufacturers to provide security in the design of their products, bringing the UK framework into line with the Scottish Government’s cyber-resilience strategy, which has enshrined security by design as a foundational principle in Scotland’s cyber-landscape. And yet, oversights abound. I am sad to say that oversights were raised with the Government on Second Reading and in Committee, but a number still remain. Some of that points to the Government trying to push the Bill through at breakneck speed, but the Minister should caw canny about putting speed over consumer safety as that will only cause us all headaches further down the line.
One such oversight on Second Reading was the requirement for manufacturers to declare publicly security flaws in their products without requiring that fixes are carried out when the flaw is announced. Nor is there a requirement for automatic fixes to be in place. One without the other essentially has the effect of drawing a big red circle around the product’s flaws for hackers without giving users the tools to shore up their defences. We cannot expect users to be skilled in product patching, so a laissez-faire approach would be a serious mistake. Nobody should be fixing those flaws but the manufacturers, and nobody but the Government can require them to do so.
On Second Reading, the Minister was urged to implement a requirement for automatic patching or one for manufacturers to have a solution in place by the time that the product flaws are disclosed publicly. It is frustrating that no progress has been made on that front. I hope that the Minister can see that that is an urgent issue for public safety and that we all have to get it right. There has also been no progress in plugging the gaps in products left out of the Bill’s scope such as internet-connected ovens, medical devices, routers and second-hand products. On top of that, the Government have justified the exclusion of laptops and desktops by arguing that there is already a developed security software market. That may be the case, but only 58% of people in the UK
use antivirus software. With home working on the rise, it is crucial that the Minister recognises the growing risk of laptops and desktops.
The somewhat unclear definition of “distributors” in the Bill also means that online marketplaces such as Amazon and eBay could argue that they are platforms or services, which would leave them outwith the Bill’s scope. That is a major oversight considering the number of unsafe products found on those sites. Closing that loophole would be a simple case of tidying up the language and explicitly including online marketplaces.
Although it is welcome that future regulations will require manufacturers to provide transparency on how their products receive security updates, leaving that up to the regulators feels like a bit of a cop-out. The Government have given no clarity on exactly what level of transparency will be required. Why not give us the details so that we can debate them fully in this place? Without those details, how can we expect enforcement to be in any way achievable?
Which? has been campaigning heavily on those two points, and I applaud its efforts to keep consumer protection at the top of the Government’s agenda. I urge the Minister to heed Tech UK’s call for the Government to undertake work to communicate the new framework to consumers. We risk causing a surge in electronic waste if the Bill causes consumers to perceive that their old devices are obsolete, so an effective comms strategy is needed to prevent an adverse environmental impact.
Before I wind up, I repeat the point made by my hon. Friend the Member for Ochil and South Perthshire on the Bill’s enforcement mechanisms. Clause 26(5) makes it clear that the Secretary of State will not be able to bring proceedings in Scotland, but the Bill will still establish enforcement mechanisms and a body to carry out enforcement. As the Scottish courts and legal system will have to manage enforcement action brought in Scotland, and as oversight of the Scottish legal system is devolved, it is only right that the Scottish Government should have a role in developing the enforcement mechanism. That is honestly just a bit of tidying up, and it is a bit tiring to have to remind the Government constantly not to treat Scotland as an afterthought, but sadly we are here again. What consideration has been given to the Scottish Government’s call for the inclusion of a duty to consult relevant Scottish Ministers when developing the enforcement mechanism and the security requirements to be enforced? On the topic of the devolved nations, I would appreciate it if the Minister set out what impact the Bill’s passage will have on the Scottish Government’s power to regulate products in Scotland, particularly in the light of the United Kingdom Internal Market Act 2020.
2.45 pm
The Bill is taking aim at many of the right problems in product security, and the SNP welcomes its aims in good faith, but the Minister is not returning that good faith, because she is simply ignoring some of the simple tweaks that we have asked for and suggested in order to close those loopholes and oversights. I hope that she will reconsider.