Ministerial foreword
Matt Warman MP
Minister for Digital Infrastructure
This government wants you and your families to be safe online. In these extraordinary circumstances, we all increasingly rely on internet-connected products to socialise, work and live out our lives. You should be able to trust that those products – whether they be watches, speakers, doorbells or baby monitors – are designed and built securely.
We are an unashamedly pro-tech government. Our support for such ‘smart’ technology is part of an exciting digital agenda we’re driving forward at DCMS; from providing world-class, next generation digital infrastructure to supporting emergent AI technology.
We also need to make sure that the growth of smart consumer products aligns with our commitment to make the UK the safest place to be online. Too often, manufacturers do not embed even the most basic approaches to cyber security into their products , leaving consumers unnecessarily exposed to a range of harms. Most consumers overwhelmingly assume that the products available in store and online are safe by default; the reality is that a number of insecure consumer smart products remain stocked on our shelves.
Cyber security is at the heart of the government’s approach to digital technology, and plays a critical role in ensuring people and businesses can benefit from the huge opportunities of technology. It is for this reason that my department has been working alongside the National Cyber Security Centre to urgently address consumer smart product security. In 2018, we published a Code of Practice for Consumer Internet of Things Security and have been supporting the development of the first industry standard on consumer smart product security.
Despite widespread adoption of the guidelines in the Code of Practice for Consumer Internet of Things Security, both in the UK and overseas, change has not been swift enough, with poor security still commonplace.
In January 2020, I announced the government’s intention to bring in legislation to ensure stronger security is built into consumer smart products. Since then we have continued to work at pace, collaborating with industry leaders and cyber security experts, to deliver world-leading legislation in this space.
This Call for Views is an important opportunity for us to test our proposed approach and for industry to input and help build a world-leading regulatory framework that promotes innovation while protecting consumers.
Engaging with the public, businesses and experts is crucial if we are to realise our vision of a more secure, confident and prosperous nation in the digital world. So please take this opportunity to share feedback and evidence, so that we can continue to work together towards this goal.
Matt Warman
Minister for Digital Infrastructure
Document guidance
What is the purpose of this document and who is it for?
This document describes the government’s proposed approach for improving the cyber security of consumer smart products sold in the UK through legislation. It details the scope of the proposed legislation, the proposed cyber security requirements that would be mandated for consumer smart products (the security requirements), how these requirements may translate into obligations on the producers and distributors of these products, and proposals for the enforcement of these requirements.
This document is being shared to gather further external feedback and evidence to inform the development of these proposals. Input from all interested parties, from individual organisations impacted by the proposed regulation, to trade associations, consumer groups, and cyber security subject-matter experts, is welcomed.
How should I read this document?
Supplementary technical detail
The government has collaborated with cyber security subject-matter experts, consumer groups and various other industry stakeholders in developing the policy proposals detailed in this document. For the benefit of stakeholders who have already engaged with these proposals, and for those interested in the technical detail of how the proposals could be implemented, supplementary technical details are included throughout this document. This includes suggested technical wording, potential material for supplementary legislation guidance, and possible measures.
For the benefit of stakeholders who have not previously engaged with these proposals, or who are primarily interested in understanding the broad intentions of the government’s proposal, these instances of technical detail have been separated out from the main body of the document in boxes such as the example below:
Definitions
Terms in single quotation marks - ‘like this’ - are defined in a definition table below each box and in the footnotes, and readers should also consider the text presented here when reviewing this document. A comprehensive list of all definitions used in the document is available in Appendix 2 - Proposed Definitions.
When terms in single quotation marks are featured in technical wording proposed for possible measures (predominantly in Section 3 - Security Requirements), those terms are intended to be interchangeable with their expanded definitions.
How should I provide feedback?
Upon review of these policy proposals, please consider the questions in Appendix 1. Respondents are invited to provide answers to these questions using the online feedback survey. Alternatively, respondents can download and populate the feedback form on the main page and email responses directly to [email protected]. Respondents are welcome to only answer the feedback questions relevant to them.
Supporting evidence should be submitted directly to [email protected]. Partial responses will be recorded and included in the analysis. If you wish for your partial response to be deleted and not included in the analysis, please email [email protected]. Please note that in doing so, you may be required to provide some of your responses to the survey (identifying information), e.g. your organisation’s name or the date and time you started and completed the survey, to ensure the correct response is removed.
If you are unable to submit your response using the online survey or via email, you can post your response to:
If you are responding by email or in writing, please clarify:
- if you are responding on behalf of an organisation or in a personal capacity
- which questions you are answering (there is no need to respond to all of the questions if they are not all relevant to you)
- whether you are willing to be contacted (if so, please provide contact details) and
- whether you prefer for your response to remain confidential and non-attributable (if so, please specify)
All responses should be submitted in advance of the closing date for this Call for Views, which is 23:59 on 6 September 2020.
How can I access the research reports cited in this document?
In developing these proposals, the government commissioned research to better understand the existing and future consumer smart product landscape. These are referenced throughout and can be accessed below:
1. Overview of proposed legislative approach
The government’s objective is to protect citizens and the wider economy from the range of harms that can arise from a vulnerable internet-connected product.
The desired outcome of these proposals is that no product within scope (see Section 2 - Scope of Regulation) should be supplied or made available to consumers on the UK market, if it does not comply with three security requirements (see Section 3 - Security Requirements). This would establish a cyber security baseline for smart products that would be applied UK-wide.
The government’s intention is to design future-proofed legislation that will remain relevant amidst the rapid pace of technological change and innovation across the consumer smart product sector. The government will therefore seek to design this legislative framework so that it could be rapidly updated as necessitated by the evolution of the consumer smart product landscape, in consultation with relevant stakeholders.
Constructing the government’s legislative framework so that certain elements, such as the security requirements, can be quickly amended through secondary legislation, is one potential mechanism that could be used to ensure that the legislation keeps pace with technological change. Throughout this document there are references to elements of the framework that it is proposed could be kept up to date dynamically, using mechanisms such as secondary legislation.
2. Scope of regulation
Defining ‘consumer Internet of Things products’ or ‘consumer smart products’ in an exhaustive or precise way is challenging, as new products are constantly being brought to market. The approach that the government suggests is to include a broad definition of connected products within the scope of the regulation and specify product categories that are out of scope as necessary (see Box 1 for a proposed scope statement). An ongoing effort would be required to maintain the list of products that are out of scope (see Box 1 for details).
Whilst the focus of the proposed legislation is to improve the security of consumer smart products, conventional IT (laptops, PCs and smartphones) would be included within the scope of this proposed legislation. The government recognises that conventional IT products largely address basic security flaws, and meet these proposed requirements. These products would be included to establish a consistent, future-proofed cyber security baseline across increasingly convergent product classes.
Products intended to be in scope, as per the wording in Box 1, include:
- connected children’s toys and baby monitors
- connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- smart cameras, TVs and speakers
- wearable health trackers
- connected home automation and alarm systems, especially their gateways and hubs
- connected appliances, such as washing machines and fridges
- smart home assistants
- smartphones, laptops and PCs
It should be noted that these proposals include products that are primarily used by or are available to consumers, but are also used in a business environment. This includes, but is not limited to, multifunctional printers, smart TVs and connected security cameras. The government proposes to exclude products that are considered industrial smart products, and Operational Technologies..
A proposed scope statement is included in Box 1 below. The text in single quotation marks denotes terms that are defined in the table below the box and also in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions.
Term | Definition |
---|---|
‘network-connectable’ | has one or more network interfaces that can receive and/or transmit digital data |
‘product’ | device and their associated services |
‘natural person…’ | the phrase ‘… natural person who is acting for purposes that are outside his/her trade …’ is a common definition of ‘consumer’ in legislation |
Smart meters are out of scope of this proposal because they are covered by mandatory assurance schemes. Other devices that connect to the smart metering system, such as In Home Displays (IHD) and Consumer Access Devices (CADs) are not excluded. Automotive vehicles are out of scope as the Department for Transport is working at an international level to agree regulations setting cyber security requirements for vehicles. Smart chargepoints are out of scope as they will be covered by alternative regulations and standards being developed, as set out in the Office for Low Emission Vehicles 2019 Smart Charging Consultation.
Medical devices, such as connected pacemakers and hearing aids are out of scope as they fall under the responsibility of the Medicines & Healthcare products Regulatory Agency (MHRA) and are already subject to robust regulation. However, multipurpose consumer devices such as smart watches or other fitness devices that have limited medical device functionality are in scope.
Government will ensure that the approach adopted for regulating the cyber security of consumer smart products considers existing and forthcoming legislation. This includes ensuring compatibility with existing government commitments to take powers to regulate smart appliances..
An alternative approach to broadly defining products in scope and specifying product categories that are out of scope as necessary would be to specify classes of products in scope. However, this approach is not desirable as it would require an ongoing effort to monitor the emergence of new product classes, and to update the scope of the regulation to encompass new classes as they are identified. This could potentially lead to new product classes temporarily not being included within scope, exposing consumers and the economy to harm. The government also believes that consumers would expect all consumer products, where feasible, to be covered by regulation.
3. Security requirements
3.1 Overview
The security requirements are the technical measures and organisational actions that would be set out in this proposed legislative framework, which would need to be implemented for all products in scope that are supplied in the UK market.
The security requirements have been derived from and align with key provisions within European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1. Government may, over time, add additional security requirements to those set out in this section as and when appropriate, and in consultation with relevant stakeholders. To achieve this, the proposed approach would enable Ministers to set out further security requirements using a flexible mechanism such as secondary legislation.
3.2 Design principles
The following principles have guided the development of the security requirements:
- Impact: Government is seeking to better protect consumers from threats that arise from poorly secured connected products. The focus of this approach is on technical controls and organisational policies that have the biggest impact in resolving the most significant security shortcomings.
- Applicability: Consumer smart products comprise a diverse range of products. Mandated requirements must be implementable and be appropriate for all products within the scope of this regulation.
- Future-proofing: Technologies and threats change rapidly, and the security requirements need to give manufacturers the opportunity to implement modern security solutions. Setting out the details of the security requirements in secondary legislation would provide the flexibility to amend them when needed if, for example, amendments were required to continue to align with European Telecommunications Standards Institute (ETSI) standards.
- Minimise burden: Government champions innovation in digital technologies, including for consumer smart products. As such, this regulation could inspire innovation and entrepreneurship in the space of consumer smart products. As mandated regulation is introduced, the government is conscious that the implementation of the regulation may create a new burden, especially for small businesses. The security requirements have been developed with a view to minimising that burden and to avoid unintended consequences.
- Alignment with industry standards: The security requirements align with standards recognised by the UK government, including the globally-applicable standard European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
- Testability: The requirements should be unambiguous and testable. Whilst the Code of Practice for Consumer Internet of Things Security contains outcome-focused guidance, the security requirements set out in regulation need to provide clarity for consumers and supply chains.
3.3 Proposed security requirements
Requirement 1 - Ban universal default passwords in consumer smart products
Universal default passwords, frequently in combination with easily guessable values such as ‘admin’, ‘12345’ or ‘password’, have been the primary source of security concerns in consumer smart products, and so this practice must be halted.
The government’s broader ambition is to encourage the use of alternative authentication mechanisms that do not use passwords - not using passwords altogether would be the easiest way to meet Requirement 1. The intention here is not to reinforce the use of passwords.
Box 2 contains the proposed technical wording that would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in the table below Box 2. These terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provisions 5.1-1 and 5.1-2 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
Note that the government’s intent is to cover all passwords within the device, including those not accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components. Pre-installed software applications (Apps), including those that are 3rd party provided but pre-installed on a device, are in scope.
The government’s intent is also to ban passwords which may be unique per device, but are still easily guessable and therefore still present a risk (for example, if incremental counters are used such as ‘password1’, ‘password2’ and so on). Requirement 1.2 in Box 2 has been designed to guard against this.
Term | Definition |
---|---|
‘password’ | a string of characters used for authentication or authorisation purposes. This includes zero-string passwords, but it does not include cases where no password could reasonably be set |
‘device’ | physical thing, including its hardware and software components, as part of the overall ‘product’ |
‘sub-system’ | part of a device that participates in the operation of the latter |
‘user’ | natural person |
‘unique per device’ | unique for each individual device of a given product class or type |
Guidance on designing authentication mechanisms is available from multiple expert organisations, including NIST.. A ‘unique per device’ password can be achieved by it having a reasonable degree of randomness. For example, a key derivation function that uses a manufacturer secret and attribute related to that device could be used. This approach also has the benefit of allowing remote servicing of the device, unless the password is changed.
Requirement 2 - Implement a means to manage reports of vulnerabilities
The intent of this requirement is to provide a transparent route for external parties to report vulnerabilities and receive useful feedback, allowing third parties to report security vulnerabilities to the manufacturer. This practice remains uncommon for manufacturers of consumer smart products, however, this is an essential mechanism to identify and address security shortcomings..
Box 3 contains the technical wording that the government proposes would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in the table below the box and also in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provision 5.2-1 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
Term | Defintion |
---|---|
‘vulnerability disclosure policy’ | policy that states the responsibilities of relevant parties to manage vulnerabilities, including the process through which third parties are able to report issues |
‘product’ | ‘device’ and their ‘associated services’ |
‘clear and transparent’ | can be easily understood and states all relevant dependences |
‘accessible way’ | way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK |
This requirement aligns with provision 5.2-1 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1. It is also aligned with ISO 29147 on coordinated vulnerability disclosure.
Implementation will typically require the manufacturer, or relevant entity, to agree and set up a process for managing vulnerabilities across the product’s supply chain in a coordinated manner. Usually, the vulnerability disclosure policy is published on a website. Contact information can be an email address, phone number and/or webform. Information on timelines can be a high-level indication of expected timescales. A non-indicative or implicative example of this could be 24 hours to acknowledge receipt and fortnightly status updates until resolution of the issue.
Further guidance on vulnerability disclosure is available in section 5.2 of the European Telecommunications Standards Institute (ETSI) standard and on the IoT Security Mapping website.
Requirement 3: Provide transparency on for how long, at a minimum, the product will receive security updates
Providing security updates in a timely manner is one of the most important mechanisms to protect consumers. Their purpose is to address security shortcomings that place consumer’s privacy and security at risk and that typically are only identified once the product is on the market. They also enable consumers to make better informed purchasing decisions. When buying a product, consumers need to be able to find out the minimum period of time for which that product will be supported with security updates.
Box 4 contains the technical wording that the government proposes would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provision 5.3-13 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
Setting the defined support period for software security updates can be challenging for long-life appliances that have an expected lifetime that is much longer than that of their digital components. There are a number ways to manage this, for example, creating the possibility to replace just those digital components, the automatic cessation of the product’s internet-connectivity once the support period has ended or providing specific, and clearly understandable mitigation advice to users on possible actions to take if the support period has ended. It should also be noted that the defined support period can always be extended unilaterally by the producer or manufacturer.
Term | Defintion |
---|---|
‘defined support period’ | minimum length of time, expressed as a period or by an end-date, for which a device will receive ‘security updates’ |
‘product’ | ‘device’ and their ‘associated services’ |
‘accessible way’ | way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK |
‘clear and transparent’ | can be easily understood and states all relevant dependences |
Further guidance is available in section 5.3 of the European Telecommunications Standards Institute standard and on the IoT Security Mapping website.
3.4 Guidance on security requirements
It is important that manufacturers and organisations in supply chains have the information they need to implement the requirements set out above. The IoT Security Foundation, an industry expert organisation, are developing guidance based on these security requirements as well as on relevant guidelines of the Code of Practice for Consumer Internet of Things Security and relevant provisions of the ETSI EN 303 645. This is expected to be published later in the year and will be freely accessible. Various expert organisations including GSM Association (GSMA), National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) also produce pertinent guidance materials.
Furthermore, alongside the publication of the Code of Practice for Consumer Internet of Things Security in 2018, the government also commissioned the development of a comprehensive mapping of global smart product security and privacy recommendations. This is updated regularly and available on the IoT Security Mapping website.
4. Obligations
4.1 Overview
Many of the security requirements we are proposing to mandate are aimed towards manufacturers of consumer smart products. The rationale for this is that many of the security requirements must be built into the device at the design stage or are dependent on the manufacturer.
Therefore, the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative. If they do not have a UK representative, then the obligation would fall on the importer or any person who brings these products into the UK, supplies them, or makes them available on the UK market. These bodies will be referred to as ‘Producers’ (this term is used in the General Product Safety Regulations 2005, which most manufacturers are familiar with).
As many of these products are made outside of the UK, the government aims to ensure that all products within scope that will be supplied or made available on the UK market, comply with the security requirements. Obligations will also be placed on ‘Distributors’ to ensure that they do not supply or make available any products on the UK market that do not comply to these requirements.
Enforcement actions (as detailed in Section 5 - Enforcement Approach) would be taken against these entities if they fail to meet their obligations under the legislation.
The government’s intention is to broadly align with the existing legislation and definitions for regulating product safety in the UK, as set out in the General Product Safety Regulations 2005. It is intended that this legislation will:
4.2 Obligations on the ‘Producer’
The government’s proposed legislative approach would adopt the definition of ‘Producer’ used in existing product safety legislation. The proposed working definition is provided in Box 5.
An indication of possible measures that are representative of the government’s policy intent are provided in Box 6. Alongside the legislation, the government is planning to produce guidance to help businesses within the scope of the legislation understand and implement the security requirements. Proposed material for this guidance document pertaining to ‘Producer’ obligations is also provided in Box 6.
4.3 Obligations on the ‘Distributor’
This proposed approach would also include a requirement to prevent ‘Distributors’ from, supplying or making available products within scope (see Section 2 - Scope of Regulation) if they are not compliant with the defined security requirements (see Section 3 - Security Requirements), providing an additional layer of protection to restrict the flow of insecure consumer smart products to UK consumers.
These proposals would also see ‘Distributors’ obliged to provide consumers with information pertaining to security requirement 3 (Provide transparency on for how long, at a minimum, the product will receive security updates) at the point of sale. The point of sale would be before the consumer has paid for the product and the sale is completed. A possible definition of ‘Distributor’ is provided in Box 7.
An indication of possible measures that are representative of the government’s policy intent is provided in Box 8. Alongside the legislation, the government is planning to produce guidance to help businesses within the scope of the legislation understand and implement the security requirements. Proposed material for this guidance document pertaining to ‘Distributor’ obligations is also provided in Box 8.
Term | Definition |
---|---|
supply | supply (definition from General Product Safety Regulations 2005) - ‘supply’ in relation to a product includes making it available, in the context of providing a service, for use by consumers |
4.4 Obligations for online actors
The rise of online sales has brought new actors into the supply and distribution chain for consumer smart products. The proposed legislation will look to address those, defining actors and placing responsibilities on them as appropriate.
The proposed approach aims to capture the increasing volumes of insecure consumer smart products bought online, whether these are provided by third parties in the UK, or from overseas.
Research into consumer purchasing channels conducted by YouGov, with 5,421 participants, on a range of different types of consumer smart product, has shown that on average, 74% of purchases of consumer smart products are made online..
As online sales are the main channel for the purchasing of consumer smart products, and in order to ensure that the proposed legislation is future-proofed, it is vital that the government defines these entities in this proposed legislation.
The government is proposing to include ‘Distributors’ who act as a marketplace or a platform for consumer sales online, and would also consider entities that enable third party selling and packaging. The proposed legislation would include those who may be considered to be an online platform or marketplace, if they are enabling the buying and selling of insecure smart products.
The proposed legislation will seek to ensure alignment with existing and future product safety and consumer protection legislation.
4.5 Disposal and sustainability
Where an obligation falls on an entity to dispose of any consumer smart device and where all other options are exhausted, the government proposes that reasonable efforts should be made to organise the return of an insecure device and to arrange for the return of the device from the consumer, subject to any sanctions and corrective measures. In circumstances where the device has to be disposed of, it should be properly treated and recycled where possible, in accordance with the Waste Electrical and Electronic Equipment Regulations 2013 or its successor.
As mentioned in the UK Government’s Resources and Waste Strategy 2018 the ‘Producer’ or ‘Distributor’ have responsibilities for the collection and proper treatment of waste electrical items. As such, they must make an arrangement for the collection or return of the device from consumers who have purchased it, or for its disposal and this must be free of charge, as per Part 5 of the Waste Electrical and Electronic Equipment Regulations 2013.
5. Proposed enforcement approach
5.1 Overview
The proposed enforcement approach is to designate a regulator to take action against ‘Producers’ or ‘Distributors’ (see Section 4 - Obligations) who supply or make available products within scope (see Section 2 - Scope of Regulation) that are not compliant with the security requirements (see Section 3 - Security Requirements), in order to deter bad practice and reduce the threat posed to consumer security, and potentially to their privacy and safety.
The government is developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation. This body would take action against ‘Producers’ or ‘Distributors’ in instances where the obligations (see Section 4 - Obligations) informed by the security requirements are not met.
Feedback provided in response to this Call for Views will shape the enforcement approach and therefore impact the body considered to be best placed to deliver it.
5.2 Enforcement timescales
Certain actions would remain lawful until a date, determined by the government, at which point enforcement would commence following royal assent. The government proposes that this would be different for each security requirement. The date that any enforcement would commence for each requirement would be based on the estimated time and resource required in order for ‘Producers’ and ‘Distributors’ to comply. Further details of the proposed timescales are included in Box 9. Please note that these are suggested timescales and the government would welcome feedback and evidence to help shape these proposals.
The government commissioned research, which was conducted with 22 manufacturers of consumer smart products, as part of this proposal.. Manufacturers estimated that familiarisation with the legislation based on mandating the top three provisions of the Code of Practice for Consumer Internet of Things Security would require an average of 15.2 person-days, which varied from “a few hours for the chief product officer” to “over three months” for the whole business..
Most respondents believed that the time taken to respond to comply with the requirement of a vulnerability disclosure policy would be under three months..
The estimated time to implement a minimum period for security updates for consumer smart products varies by organisation depending on its size, and is spread fairly evenly between zero to 30 months, with the majority able to implement this requirement in under 18 months.. On average, manufacturers redesign their product packaging every 30.3 months. and average contract lengths for UK suppliers were just over one year and for non-UK suppliers it was around 31 months..
Only one respondent to the survey stated that they manufactured products that used a default password and while they did not disclose the length of time it would take to implement the security requirements, they stated they would either redesign the product to comply, use an alternative authentication method or update the password remotely..
5.3 Enforcement roles and responsibilities
The government is proposing that the enforcement body would intervene when a report is received (from a security researcher, trade body, member of the public, industry, ‘Distributor’, ‘Producer’, etc) to notify the enforcement body that the security requirements have not been complied with. For example;
- A ‘Producer’ has not met some or all of the security requirements.
- Compliance information provided to the consumer at the point of sale, by either the ‘Producer’ or ‘Distributor’ is incorrect/misleading/not present, e.g. the length of time for security updates.
- An investigation by the enforcement body has uncovered that the ‘Producer’ has not met some of the security requirements.
5.4 Non-compliance
The enforcement body may request evidence of non-compliance where possible and test products to verify any claims of non-compliance. The enforcement body may do this by investigating independently, contacting the ‘Producer’ or ‘Distributor’ for evidence, or by approaching any assurance scheme that is used.
When products are sold in-store, investigatory powers may be required to assess the product or conduct a test purchase for Security Requirements 1 (Ban universal default passwords) and 3 (Provide transparency on for how long, at a minimum, the product will receive security updates).
Where smart consumer products are sold online, the enforcement body may test-purchase the products, or request a ‘Distributor’ who has supplied or made the products available on the market, to provide it with all the information and documentation within the ‘Distributor’’s knowledge or possession, which demonstrate that the provisions of the proposed legislation has been complied with.
Where non-compliance has been identified but the ‘Producer’ or ‘Distributor’ responsible is no longer trading and the products pose a significant risk to consumers, the enforcement body would have the powers to remove the products in question from the market.
5.5. Example enforcement actions
Where ‘Producers’ or ‘Distributors’ have not fulfilled their obligations under the legislation, the enforcement body would have access to a range of powers that could be implemented to remove the risk to UK consumers. The government proposes that enforcement powers would be used when voluntary actions have not removed the security risk and any enforcement measures undertaken would be proportionate to the seriousness of the risk, as agreed with the designated enforcement body.
Compliance measures and sanctions
The government is proposing that the designated enforcement body would be afforded a suite of enforcement powers, applicable to ‘Producers’ or ‘Distributors’ of all consumer smart products intended to be presented for sale to consumers in the UK, both online and in-store.
An example of existing corrective measures and sanctions is included in Box 10. These corrective measures and sanctions are largely based on powers in current product safety legislation available to existing regulators of product safety. This information is included in order to give an indication of the types of sanctions and corrective measures that are being explored.
The government proposes that the designated enforcement body would seek to implement penalties for non-compliance initially using civil enforcement techniques. Continued non-compliance may lead to criminal action in line with the scale of the offence and subject to sanctions being breached. The designated enforcement body would not seek to push for prosecution in the first instance, but rather take a scalable approach via voluntary action, before utilising sanctions to deter non-compliance of the legislation. A proposed set of decision criteria for deciding on the appropriate enforcement action is outlined in Box 11.
As part of this proposal, the ‘Producer’ or ‘Distributor’ would have the right to appeal a sanction or corrective measure brought against them. This would include an appeals process that aligns with the processes used in existing product safety legislation.
5.6. Enforcement body considerations
As part of developing the proposed enforcement approach, the government is reviewing the existing regulatory landscape and considering several existing regulators who may be in a position to act as the appropriate enforcement body who would monitor compliance with the legislation, conduct any investigation or testing and take appropriate enforcement action as needed.
Any regulatory or enforcement body would be required to comply with the Regulators Code, which requires a proportionate and evidenced approach and principles as to how regulatory functions are exercised. The designated enforcement body would be required to follow good regulatory practice, including meeting the Regulators Code.
Ideally, the designated enforcement body would have existing structures in place to monitor non-compliance, issue penalties and other sanctions, which would be proportionate and reasonable and based on the level of risk posed to consumers. Support to upskill or recruit individuals with technical cyber security knowledge could also be provided, as necessary.
In addition to the proposals outlined above, the technical implementation of the enforcement approach would be informed by existing structures and infrastructure already in place within the designated enforcement body. The details of the enforcement activities would be agreed in collaboration with the designated enforcement body.
5.7. Enforcement body
Designation of an appropriate enforcement body, or bodies, and the regulatory model, will be considered subject to the wider feedback and evidence received in this Call for Views. Identification of a suitable enforcement body will require further engagement with a number of existing enforcement bodies, government departments and key stakeholders to understand the regulatory landscape, further discovery with a range of existing enforcement bodies and the collation of supporting information on existing activity taking place.
Conversations have been held with a number of existing enforcement bodies to scope the regulatory landscape and to solicit feedback and invite input into these proposals. These bodies include those that DCMS is already engaging with in other policy areas to benefit from lessons learned, those who are currently undertaking similar enforcement activities in relation to existing product safety regulations and also bodies who are part of the wider landscape, but may have an interest in these proposals.
The organisations that have been spoken to are listed below, however it is important to note that this is not a shortlist of candidates, as some have been engaged in order to solicit input and share learning only. However, further, more detailed conversations with a selection of these regulators and other key stakeholders are planned. The enforcement bodies that have been engaged to date include:
- The Office for Product Safety and Standards in the Department for Business, Energy and Industrial Strategy, which is an enforcement authority for the safety of a wide range of consumer products in the UK, including the General Product Safety Regulations.
- National and Local Trading Standards representatives in relation to their cross border, regional, national or local focus to protect consumers and provide advice. Local authority Trading Standards have powers under Schedule 5 of the Consumer Rights Act 2015.
- Ofcom as the enforcement authority for the use of wireless devices [under the Radio Equipment Regulations 2017 and Electromagnetic Regulations 2016], in its role to protect and manage the radio spectrum.
- The Information Commissioner’s Office: UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Sponsored by DCMS.
- The Financial Conduct Authority, which is the regulator responsible for consumer protection in the financial markets.
- The Competition and Markets Authority has a range of powers and functions, including the enforcement of competition and consumer law, the regulation of mergers, and conducting market investigations.
Privacy notice
The following is to explain your rights and give you the information you are entitled to under the Data Protection Act 2018 and the General Data Protection Regulation (“the Data Protection Legislation”). This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the survey.
1 - The identity of the data controller and contact details of our Data Protection Officer
The Department for Digital, Culture, Media and Sport (“DCMS”) is the data controller. The Data Protection Officer can be contacted by emailing [email protected]. You can visit the DCMS website to find out more about how DCMS uses and protects your information.
2 - Why your personal data is being collected
Your personal data is being collected as an essential part of the Call for Views process, so that the government can contact you regarding your response and for statistical purposes, such as to ensure individuals cannot complete the survey more than once.
3 - The legal basis for processing personal data
The Data Protection Legislation states that, as a government department, the department may process personal data as necessary for the effective performance of a task carried out in the public interest. i.e. a Call for Views.
4 - How your personal data will be shared
Copies of responses may be published after the survey closes. If this happens, the government will ensure that neither you nor the organisation you represent are identifiable, and any response used to illustrate findings will be anonymised.
Qualtrics is the online survey platform used to conduct this survey. They will store the data in accordance with DCMS instructions and the Qualtrics privacy policy can be found here.
If you want the information that you provide to be treated as confidential, please contact [email protected]. Please be aware that, under the Freedom of Information Act (FOIA), there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain why you regard the information you have provided as confidential. If the government receives a request for disclosure of the information, the government will take full account of your explanation, but cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.
5 - How long your personal data will be kept for
Your personal data will be held for two years after the survey is closed. This is so that the department is able to contact you regarding the result of the survey following analysis of the responses.
6 - Your rights in relation to access, rectification and erasure of data
The data that is being collected is your personal data, and you have considerable say over what happens to it. You have the right:
- to see what data we have about you:
- to ask us to stop using your data, but keep it on record;
- to have all or some of your data deleted or corrected;
- to lodge a complaint with the independent Information Commissioner if you think we are not handling your data fairly or in accordance with the law.
You can contact the ICO via the ICO website, by telephone 0303 123 1113 or by post:
7 - Additional information
Further to the above, you should also be aware of the following:
- Your personal data will not be sent overseas.
- Your personal data will not be used for any automated decision making.
- Your personal data will be stored in a secure government IT system.
Appendix 1. Accompanying questions
The questions set out below seek your feedback on the government’s proposed approach and for stakeholders to raise any gaps or comments. Respondents are invited to provide answers to these questions using the online feedback survey for this Call for Views. Alternatively, respondents can download and populate the feedback form on the main page and email responses directly to [email protected].
Demographic questions
Scope of regulation questions
Security requirements feedback
Obligations questions
Enforcement approach questions
Appendix 2. Proposed definitions
Please note that all definitions provided either reflect the government’s proposed policy approach, or are indicative of existing approaches, standards, or regulations that represent the intent of this proposed legislation. These definitions are not final and remain subject to change.
The following terms form part of the scope statement and the security requirements. Text in single quotation marks in relevant sections denote terms that are defined here. The definitions provided here are similar to those within the European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
- ‘accessible way’: way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK
This proposal aims to prevent the use of premium-rate phone numbers to access the defined support period and for this to be excessively hidden on a website. This proposal also aims to prevent websites from being exclusively in a foreign language when the device is intended for the UK market.
- ‘associated service’: digital service that, together with the device, are part of the overall ‘product’ and that are required to provide the ‘product’s intended functionality, for example mobile applications and cloud storage
- ‘clear and transparent’: can be easily understood and states all relevant dependences
- ‘defined support period’: minimum length of time, expressed as a period or by an end-date, for which a device will receive ‘security updates’
- ‘device’: physical thing, including its hardware and software components, as part of the overall ‘product’
- ‘network-connectable’: has one or more network interface that can receive and/or transmit digital data
‘Digital’ to exclude purely analogue audio equipment.
- ‘password’: a string of characters used for authentication or authorisation purposes. This includes zero-string passwords, but it does not include cases where no password could reasonably be set.
For the purposes of this legislation the following are not defined as passwords:
- Cryptographic keys used for encryption of data on a device.
- API keys, unless it is the sole form of authentication to the device.
- A default PIN, password or key used for Bluetooth® or Zigbee® pairing.
Default PINs, passwords or keys for Bluetooth® or Zigbee® pairing are excluded from the definition of passwords for legacy reasons. This authentication approach remains commonplace, but it brings security challenges and better mechanisms are available. At this time, where possible it is recommended to use a secure method of authentication. A future update to this regulation will likely remove this option.
- ‘product’: device and their associated services
- ‘security updates’: software updates that improve the security of the product such as by addressing a security vulnerability
- ‘sub-system’: part of a device that participates in the operation of the latter
- ‘Supply’ (GPSR) - ‘supply’ in relation to a product includes making it available, in the context of providing a service, for use by consumers;
- ‘unique per device’: unique for each individual device of a given product class or type
- ‘user’: natural person
This prevents default passwords to be changed by bots in requirement 1.1.
- ‘vulnerability’: weakness of software, hardware, or online service that can be exploited
- ‘vulnerability disclosure policy’: policy that states the responsibilities of relevant parties to manage ‘vulnerabilities’, including the process through which third parties are able to report issues.