Regulating the Internet of Things - the Government defence

Profile picture for user slauchlan By Stuart Lauchlan October 24, 2019
In response to the opposition’s view that not enough is being done to regulate the Internet of Things, Stuart Lauchlan reports on the government’s defence.

Image of Matt Warman

A recent debate in Westminster Hall saw Labour’s Parliamentary Under Secretary of State at the Department for Digital, Culture, Media and Sport Chi Onwurah accuse the current government of not taking seriously the need to regulate the Internet of Things (IoT) effectively.

Various other MPs of assorted political complexions took up the cudgels during the debate, until it was left to Matt Warman, Parliamentary Under Secretary of State at the Department for Digital, Culture, Media and Sport, to defend the government’s strategy.

As evidence that the Government is taking the IoT and related issues seriously, Warman pointed to the technology innovation strategy published in June 2019 and measures, such as the Spark procurement programme and the setting up of the Centre for Data Ethics and Innovation.

Terms and Conditions 

He began by agreeing with his accuser that this is a debate about data and who owns it. But while Onwurah was sceptical of the ‘teeth’ that GDPR has in respect to the IoT, Warman’s been briefed differently.   

On the principle of who owns the data, the General Data Protection Regulation applies to data controllers in exactly the same way, whether they are processing data that derives from the Internet of Things or anywhere else, so the principles that we all subscribe to, of the consumer owning their data, should persist. 

That is a hugely important starting point, and we should acknowledge that there is agreement on it.

Actually there isn’t, but Warman went on to suggest that consumers need to understand that they give up their data for “a particular purpose and a particular benefit” and that this process is predicated on consent:

It is obviously fine for an individual to choose what they do with their own data. If that involves...surrendering the data for a particular purpose, that is their decision to make....The point about consent being absolutely in the hands of the user is the most important one to make. That is why the cyber-security of the products that [Onwurah] refers to is so hugely important. In many ways; it is why we have put so much effort into delivering the code of practice for consumer IOT security.

In that process, security should not be an afterthought; it has to be embedded. Thus far, we have taken the approach of working with industry, and industry is now saying to Government that greater clarity, particularly in regulation, will help consumers and the industry itself.

And that help is badly needed. As Warman noted:

Many of the internet-connected devices that are currently on the market still lack even the most basic cyber-security provisions. Some 90% of 331 manufacturers that supply the UK market and that were reviewed in 2018 did not use a comprehensive vulnerability disclosure programme up to the level that we would expect; I think that Hon. Members on all sides would agree that that is unacceptable. Organisations have a duty of care to their customers, to help make sure that they can access and use their internet-connected products safely.

Although Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that stronger cyber-security is built into these products by design. That is why we launched our consultation on secure consumer IoT in May...It allows us to talk about minimum security principles for connected devices, which my Department elaborated on in the document published last year. Our focus will be on ensuring that there is a baseline of cyber-security built into all consumer IoT products by design, to eliminate the most harmful practices.

On this point at least, Warman isn’t arguing that the buck can be passed over to individual consumers and citizens to take responsibility for:

We do not think it is right to expect all users of all internet-connected devices to become cyber-security experts, and we recognise the need to take from them the burden of differentiating between good and bad. That is why we have been clear with industry what good practices will look like, and we wish to support manufacturers of all sizes to embed them and to support retailers to make sure that they are obvious.

Helping people make better decisions

But the ‘emptor caveat’ argument is one he returned to throughout the debate:

It is obvious that not everyone reads the terms and conditions of every single thing they have signed up to for any website, but it seems to me that Government’s role in this space is not to stop people making those decisions. It is to make sure that people have a better understanding of the decisions they make, and that they trust the companies that are doing whatever it may be with their data. 

That obviously requires us to put certain constraints on the behaviour of companies, as we do in every other circumstance. However it should surely not be for us to say that people should not be allowed to make certain decisions? I think that on the Government side of the House we would be keen to free people up to make whatever decisions they reasonably want to make.

But it was back to political mission statements and aspirational claims to leadership that Warman returned several times:

When we seek to regulate in this area and on online harms, we in this country and across the parties should be proud that the UK is a liberal democracy that seeks to lead the way. We have an opportunity to shape a global debate. In some ways, the greatest thing we can do is use Britain’s status in this area and on the world stage to try to develop global standards.

The question is whether that can really be done when the Prime Minister is talking to the UN General Assembly about “pink-eyed Terminators”, clucking Alexas and giant dark data thunderclouds looming overhead as his sales pitch to the world around the tech leadership of a post Brexit Britain? For his part, Warman is nothing if not a party loyalist:

[Onwurah] says that we are not providing leadership and quotes the Prime Minister’s speech, but I say that his speech demonstrates the existing status of Britain’s leadership in the area already.

My take

On that last point, we must firmly agree to differ. Elsewhere Warman stuck to the brief as befits a former Government whip. But from a former technology journalist, I’d have hoped for something more than ‘read the terms and conditions’ as the underlying mantra on offer here.