STEaPP research informs new Product Security and Telecommunications Infrastructure Bill

The Product Security and Telecommunications Infrastructure Bill, introduced to Parliament last week, will require manufacturers, importers and distributors of ‘Internet of Things’ (IoT) devices to ‘meet new tough cyber security standards’ with fines for those who don’t comply.

Forecasts suggest that there could be up to 50 billion internet-connected products (the IoT) worldwide by 2030, including Smart TVs, locks and doorbells, with an average of nine in each UK household.

Research led by Dr Leonie Tanczer has investigated the ways in which domestic abuse perpetrators can facilitate these technologies for abuse, termed “tech abuse”. Work in collaboration with STEaPP’s Policy Impact Unit has long been calling for policy change to tackle this growing problem, with a number of successful outcomes. These include citations in policy documents (such as a recent POSTNote), parliamentary questions asked by MPs, and invitations to provide briefings to officials.

Tech abuse is provided as a reason for introducing the Bill in the product security factsheet, which links to a BBC article informed by Dr Tanczer’s work. This is the latest in a series of positive policy outcomes which can at least in part be attributed to the team’s sustained efforts to engage with the policy community on tackling tech abuse for the last three years.  

Dr Tanczer welcomed the Bill and the Government’s latest commitment to addressing tech abuse and improving consumer IoT security: “I am pleased that the Government is taking tech-abuse seriously after understanding the findings of our research. The misuse of digital systems for the purpose of monitoring, harassing and restricting victims and survivors of domestic abuse is sadly here to stay and will only increase as smart, internet-connected devices become more widespread. We hope this new legislation will go some way to tackling tech-abuse and making consumer IoT more secure”.

According to the Department for Digital, Culture, Media and Sport (DCMS), the Bill will:

• Allow the government to ban universal default passwords
• Force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and;
• Create a better public reporting system for vulnerabilities found in those products.

These commitments build on some of the principles from the Consumer IoT code of practise (CoP), developed by DCMS in 2018 with contributions from STEaPP researchers through PETRAS - the National Centre of Excellence for IoT Systems Cybersecurity. Earlier this year, DCMS commissioned a report by colleagues in STEaPP and UCL Computer Science to assess the state of play of the CoP and analyse the issues around fitness devices, smart children’s toys and other internet-connected devices, setting out necessary steps to secure them.

Dr Tanczer continues to work closely with the Government to provide input and comment on this important issue.