April 26, 2021
In July 2020 the Government announced that it is planning to change the law to make “smart” products more secure, and it published a call for views on its proposals. Having received 110 responses from organisations and individuals, the Government has now published its response.
The Government says that it will now legislate, when parliamentary time allows, to create a new robust scheme of regulation to protect consumers from insecure connected products. The regulation will apply to all consumer connected products such as smart speakers, smart televisions, connected doorbells and smartphones. A number of devices will be exempt due to the specific circumstances of how they are constructed and secured, including desktop computers and laptops. The security requirements will align with international standards and, the Government says, are familiar to all manufacturers and other relevant parties across the industry. An enforcement body will be equipped with powers to investigate allegations of non-compliance and to take steps to ensure compliance.
Twelve key policy positions underpin the Government’s intended regulatory approach:
- defining products in scope: the intended legislation will apply to any network-connectable devices and their associated services that are made available primarily to consumers, except products that are designated as out of scope;
- exempted product classes: specific product classes that would otherwise fall within the scope of this legislation, but for which it would be inappropriate for it to apply to, will be exempted from the legislative framework;
- adaptable scope: where changes to the wider regulatory, technological, or threat landscapes render it appropriate, the intended legislation will allow Ministers, subject to agreement by Parliament, to adjust the scope of consumer connected products covered by this regulation by updating the list of specific product classes exempted from its effects;
- interoperability: the Government will ensure that the intended legislation is interoperable with other existing or planned government interventions covering contiguous, or overlapping product classes, such as BEIS commitments to regulate smart appliances;
- obligations on economic actors: the legislation will place proportionate obligations on relevant economic actors involved in the transmission of in-scope products to consumers to ensure that insecure products are not made available to UK consumers;
- security requirements: the legislation will oblige relevant economic actors to not make consumer connected products available on the UK market unless they comply with certain security requirements, or designated standards;
- adaptable security requirements: where changes to the wider regulatory, technological, or threat landscapes render it appropriate, the intended legislation will allow Ministers to update the security requirements and designated standards that relevant economic actors must ensure products made available on the UK market comply with;
- product assurance: where changes to the wider technological or threat landscapes render it appropriate, the intended legislation will enable Ministers to mandate product assurance for particular categories of consumer connected products;
- enforcement authority: an enforcement authority will investigate non-compliance, take action in relation to any non-compliance, and provide support to relevant economic actors to enable them to comply with their obligations;
- enforcement role and responsibilities: to enable proportionate enforcement across a range of contexts, the legislation will equip the enforcement authority with necessary powers, as well as the ability to issue appropriate corrective measures, sanctions and potentially in the most serious circumstances, to bring forward criminal proceedings;
- appeals: relevant economic actors will have the right to appeal any sanctions or corrective measures brought against them, in a manner consistent with the processes used in existing product safety legislation; and
- proportionate transitional provisions: following royal assent, the Government will provide relevant economic actors with an appropriate grace period to adjust their business practices before the intended legislation fully comes into force.
Examples of the new requirements that smart devices will have to meet include:
- customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates;
- a ban on manufacturers using universal default passwords, such as “password” or “admin”, that are often pre-set in a device’s factory settings and are easily guessable;
- manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.