Clause 1 - Power to specify security requirements

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 11:30 am ar 17 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Kevin Brennan Kevin Brennan Llafur, Gorllewin Caerdydd 11:30, 17 Mawrth 2022

Good morning, everybody. Happy St Patrick’s day to everyone. I congratulate the Minister on her first Bill. I have been through the process many times, and it is an exciting and proud moment to lead on a Bill for the Government for the first time. When I did it, my father, who was from West Cork, said, “Not bad for someone from the peat bogs of West Cork.” I am sure that the Minister’s family are equally proud of her achievement.

I want to raise a couple of general issues, as we are debating the first three quarters of the Bill in this grouping. I congratulate the Minister for providing such a comprehensive impact assessment on the Bill. I was slightly confused by the figure for the cost of business, which is set at net present value, and is put at “£1,246.9.9” million. That figure looks like a typo. I wondered what the correct figure was, and if the Minister could provide it. I suggest it is just the one “point nine”.

This is a very significant piece of legislation, given the impact it will have on consumers and business. It is very technical. Page 8 of the impact assessment details the Government’s key assumptions about how the Bill will impact on businesses. Businesses will have to dispose of devices that no longer satisfy the criteria that the Minister is likely to set. The impact assessment’s optimistic assessment of what percentage of devices will have to be disposed of is 5%. Its working assessment is 45%. The figure it is using, however, for the impact on business is that 10% of devices will have to be disposed of by businesses.

I know that making impact assessments is not a precise science—to a certain extent, it is about trying to look into a crystal ball—but there seems to be quite a difference between the assumption that the Government are making of 10%, their best case scenario of 5%, and the worst-case scenario of 45%. Can the Minister explain to the Committee why there is such a wide range of figures? As far as business is concerned, those figures are very different. If the Government have got this wrong, and we are in the worst-case scenario, businesses will dispose of four times as many devices as the Government thought. I would be very grateful if the Minister could fill the Committee in on how there can be such a difference between those figures.

I have another point on the impact assessment; my hon. Friend the Member for Ogmore raised similar issues. It is about smart speakers and an exchange that took place in the evidence session. It is not the first time that I have asked someone whether they would regard it as safe to have one of these devices in their home—smart speakers; an Alexa-type device. Nevertheless, it seems extraordinary that a cyber-security expert giving evidence to this Committee should say that they would not have such a device in their home, because they do not trust them. That is basically what the witness told the Committee. I then asked her, “Well, following the passage of this Bill, would you have one in your home?”, and her response remained no; she still would not trust them. A cyber-security expert giving evidence to the Committee said that even if the Bill contained the measures that the Minister is proposing, she still would not have such a device in her home.

The Minister might be interested to know that I asked the same question of the outgoing Information Commissioner when she appeared before the Digital, Culture, Media and Sport Committee, and she gave exactly the same answer; she, too, did not trust these devices sufficiently to have one in her home.

The Minister gave reassurances to my hon. Friend the Member for Ogmore, but how much further can she go to reassure this Committee that the Bill, and the subsequent regulations, will mean that consumers can safely have these devices in their home, and trust them? How can she ensure that security experts, the Information Commissioner and others will be able to say to the public, “It is largely safe to have these devices in your home”?

I say that because page 13 of the Government’s impact assessment says that smart speakers are present “in 22% of households” in the UK, which means that over one in five households in the UK already have devices of this kind. I presume that in general we would want a roll-out of safe connectable devices, because of the benefits that they can bring; they have huge benefits for people who are disabled, who use them to improve their quality of life hugely. It is worrying, is it not, to be told that they are not to be trusted. Could the Minister give us any further reassurances on that point?

Finally, I understand that at a later date, a new clause may be introduced on the issues that were raised with Which? in the evidence session. Which? was keen to emphasise that it would like something done to alleviate inappropriate minimum periods for security updates in support of these connected devices. I will not pursue that further at this point, because I understand that there may well be an opportunity to debate a new clause on that at the end of our proceedings.