Proposals for regulating consumer smart product cyber security - call for views

Question 1

Ministerial foreword

Accepted Answer

Matt Warman MP

Minister for Digital Infrastructure

This government wants you and your families to be safe online. In these extraordinary circumstances, we all increasingly rely on internet-connected products to socialise, work and live out our lives. You should be able to trust that those products – whether they be watches, speakers, doorbells or baby monitors – are designed and built securely.

We are an unashamedly pro-tech government. Our support for such ‘smart’ technology is part of an exciting digital agenda we’re driving forward at DCMS; from providing world-class, next generation digital infrastructure to supporting emergent AI technology.

We also need to make sure that the growth of smart consumer products aligns with our commitment to make the UK the safest place to be online. Too often, manufacturers do not embed even the most basic approaches to cyber security into their products ^{[footnote 1]}, leaving consumers unnecessarily exposed to a range of harms. Most consumers overwhelmingly assume that the products available in store and online are safe by default; the reality is that a number of insecure consumer smart products remain stocked on our shelves.

Cyber security is at the heart of the government’s approach to digital technology, and plays a critical role in ensuring people and businesses can benefit from the huge opportunities of technology. It is for this reason that my department has been working alongside the National Cyber Security Centre to urgently address consumer smart product security. In 2018, we published a Code of Practice for Consumer Internet of Things Security and have been supporting the development of the first industry standard on consumer smart product security.

Despite widespread adoption of the guidelines in the Code of Practice for Consumer Internet of Things Security, both in the UK and overseas, change has not been swift enough, with poor security still commonplace.

In January 2020, I announced the government’s intention to bring in legislation to ensure stronger security is built into consumer smart products. Since then we have continued to work at pace, collaborating with industry leaders and cyber security experts, to deliver world-leading legislation in this space.

This Call for Views is an important opportunity for us to test our proposed approach and for industry to input and help build a world-leading regulatory framework that promotes innovation while protecting consumers.

Engaging with the public, businesses and experts is crucial if we are to realise our vision of a more secure, confident and prosperous nation in the digital world. So please take this opportunity to share feedback and evidence, so that we can continue to work together towards this goal.

Matt Warman

Minister for Digital Infrastructure

Question 2

Document guidance

Accepted Answer

What is the purpose of this document and who is it for?

This document describes the government’s proposed approach for improving the cyber security of consumer smart products sold in the UK through legislation. It details the scope of the proposed legislation, the proposed cyber security requirements that would be mandated for consumer smart products (the security requirements), how these requirements may translate into obligations on the producers and distributors of these products, and proposals for the enforcement of these requirements.

This document is being shared to gather further external feedback and evidence to inform the development of these proposals. Input from all interested parties, from individual organisations impacted by the proposed regulation, to trade associations, consumer groups, and cyber security subject-matter experts, is welcomed.

How should I read this document?

Supplementary technical detail

The government has collaborated with cyber security subject-matter experts, consumer groups and various other industry stakeholders in developing the policy proposals detailed in this document. For the benefit of stakeholders who have already engaged with these proposals, and for those interested in the technical detail of how the proposals could be implemented, supplementary technical details are included throughout this document. This includes suggested technical wording, potential material for supplementary legislation guidance, and possible measures.

Please note that descriptions of potential measures throughout the document are not final. These are indicative examples and would not necessarily represent the exact wording of any final legislation. These examples should not be interpreted as legal text, and have been included to illustrate potential ways in which the enclosed proposals could inform detailed guidance or possible measures. The final legal implementation of the proposed legislation would ultimately be determined as part of the legal drafting process.

For the benefit of stakeholders who have not previously engaged with these proposals, or who are primarily interested in understanding the broad intentions of the government’s proposal, these instances of technical detail have been separated out from the main body of the document in boxes such as the example below:

Box X - Description of proposed technical detail

[supplementary technical detail, such as suggested technical wording, potential material for supplementary legislation guidance, or possible measures]

Definitions

Terms in single quotation marks - ‘like this’ - are defined in a definition table below each box and in the footnotes, and readers should also consider the text presented here when reviewing this document. A comprehensive list of all definitions used in the document is available in Appendix 2 - Proposed Definitions.

When terms in single quotation marks are featured in technical wording proposed for possible measures (predominantly in Section 3 - Security Requirements), those terms are intended to be interchangeable with their expanded definitions.

Please note that all definitions provided either reflect a proposed policy approach, or are indicative of existing approaches, standards, or regulations that represent the intent of the government’s proposed legislation. These definitions are not final and remain subject to change.

How should I provide feedback?

Upon review of these policy proposals, please consider the questions in Appendix 1. Respondents are invited to provide answers to these questions using the online feedback survey. Alternatively, respondents can download and populate the feedback form on the main page and email responses directly to securebydesign@dcms.gov.uk. Respondents are welcome to only answer the feedback questions relevant to them.

Supporting evidence should be submitted directly to securebydesign@dcms.gov.uk. Partial responses will be recorded and included in the analysis. If you wish for your partial response to be deleted and not included in the analysis, please email securebydesign@dcms.gov.uk. Please note that in doing so, you may be required to provide some of your responses to the survey (identifying information), e.g. your organisation’s name or the date and time you started and completed the survey, to ensure the correct response is removed.

If you are unable to submit your response using the online survey or via email, you can post your response to:

Secure by Design Team
Cyber Security and Digital Identity Directorate
DCMS
4th Floor
100 Parliament Street
London
SW1A 2BQ

If you are responding by email or in writing, please clarify:

if you are responding on behalf of an organisation or in a personal capacity
which questions you are answering (there is no need to respond to all of the questions if they are not all relevant to you)
whether you are willing to be contacted (if so, please provide contact details) and
whether you prefer for your response to remain confidential and non-attributable (if so, please specify)

All responses should be submitted in advance of the closing date for this Call for Views, which is 23:59 on 6 September 2020.

How can I access the research reports cited in this document?

In developing these proposals, the government commissioned research to better understand the existing and future consumer smart product landscape. These are referenced throughout and can be accessed below:

Framing the Nature and Scale of Cyber Security Vulnerabilities within the Current Consumer Internet of Things (IoT) Landscape - Centre for Strategy & Evaluation Services
Evidencing the cost of the UK Government’s Proposed Regulatory Interventions for Consumer Internet of Things (IoT) Products and Technical Report - RSM UK Consulting LLP with YouGov and the European Centre for International Political Economy

Question 3

1.  Overview of proposed legislative approach

Accepted Answer

The government’s objective is to protect citizens and the wider economy from the range of harms that can arise from a vulnerable internet-connected product.

The desired outcome of these proposals is that no product within scope (see Section 2 - Scope of Regulation) should be supplied or made available to consumers on the UK market, if it does not comply with three security requirements (see Section 3 - Security Requirements). This would establish a cyber security baseline for smart products that would be applied UK-wide.

The government’s intention is to design future-proofed legislation that will remain relevant amidst the rapid pace of technological change and innovation across the consumer smart product sector. The government will therefore seek to design this legislative framework so that it could be rapidly updated as necessitated by the evolution of the consumer smart product landscape, in consultation with relevant stakeholders.

Constructing the government’s legislative framework so that certain elements, such as the security requirements, can be quickly amended through secondary legislation, is one potential mechanism that could be used to ensure that the legislation keeps pace with technological change. Throughout this document there are references to elements of the framework that it is proposed could be kept up to date dynamically, using mechanisms such as secondary legislation.

Please note these details are indicative, that this is an example of a possible implementation approach and has not been finalised. The final legal implementation of the proposed legislation would ultimately be determined as part of the legal drafting process. All timescales cited are proposals only, and the government would welcome feedback and evidence to help shape these proposals.

Question 4

2.  Scope of regulation

Accepted Answer

Defining ‘consumer Internet of Things products’ or ‘consumer smart products’ in an exhaustive or precise way is challenging, as new products are constantly being brought to market. The approach that the government suggests is to include a broad definition of connected products within the scope of the regulation and specify product categories that are out of scope as necessary (see Box 1 for a proposed scope statement). An ongoing effort would be required to maintain the list of products that are out of scope (see Box 1 for details).

Whilst the focus of the proposed legislation is to improve the security of consumer smart products, conventional IT (laptops, PCs and smartphones) would be included within the scope of this proposed legislation. The government recognises that conventional IT products largely address basic security flaws, and meet these proposed requirements. These products would be included to establish a consistent, future-proofed cyber security baseline across increasingly convergent product classes.

Products intended to be in scope, as per the wording in Box 1, include:

connected children’s toys and baby monitors
connected safety-relevant products such as smoke detectors and door locks
Internet of Things base stations and hubs to which multiple devices connect
smart cameras, TVs and speakers
wearable health trackers
connected home automation and alarm systems, especially their gateways and hubs
connected appliances, such as washing machines and fridges
smart home assistants
smartphones, laptops and PCs

It should be noted that these proposals include products that are primarily used by or are available to consumers, but are also used in a business environment. This includes, but is not limited to, multifunctional printers, smart TVs and connected security cameras. The government proposes to exclude products that are considered industrial smart products, and Operational Technologies.^{[footnote 2]}.

A proposed scope statement is included in Box 1 below. The text in single quotation marks denotes terms that are defined in the table below the box and also in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions.

Box 1 - Proposed scope statement

Exact wording and approach to be finalised

Products in scope

A product in scope for this regulation is any ‘network-connectable’ ‘product’ that is supplied or made available;

for the use or enjoyment of a natural person; or
for the sale to a natural person for use; who is acting for purposes that are outside his/her trade, business, craft or profession in or around a permanent or temporary household or residence, in recreation or as an electronic wearable, except products that are designated as out of scope.

Products out of scope

The government proposes that the following consumer products would be out of scope of this legislative framework, primarily because they are or soon will be covered by alternative regulation:

Smart Metering devices that require Commercial Product Assurance (CPA)
Automotive including electric vehicles, and smart chargepoints
Medical devices (includes In Vitro Diagnostic Devices and Active implantables)

The following products would be out of scope primarily because they are not used by consumers and/or are covered by alternative regulation:

Industrial smart products
Operational Technologies

The government proposes that this list of out of scope products would be updated and maintained, possibly by means of additional secondary legislation. The proposed approach would also allow the government to vary the products that are in scope as innovation evolves and the distinction between consumer products and other products becomes blurred.

Term	Definition
‘network-connectable’	has one or more network interfaces that can receive and/or transmit digital data
‘product’	device and their associated services
‘natural person…’	the phrase ‘… natural person who is acting for purposes that are outside his/her trade …’ is a common definition of ‘consumer’ in legislation

Smart meters are out of scope of this proposal because they are covered by mandatory assurance schemes. Other devices that connect to the smart metering system, such as In Home Displays (IHD) and Consumer Access Devices (CADs) are not excluded. Automotive vehicles are out of scope as the Department for Transport is working at an international level to agree regulations setting cyber security requirements for vehicles. Smart chargepoints are out of scope as they will be covered by alternative regulations and standards being developed, as set out in the Office for Low Emission Vehicles 2019 Smart Charging Consultation.

Medical devices, such as connected pacemakers and hearing aids are out of scope as they fall under the responsibility of the Medicines & Healthcare products Regulatory Agency (MHRA) and are already subject to robust regulation. However, multipurpose consumer devices such as smart watches or other fitness devices that have limited medical device functionality are in scope.

Government will ensure that the approach adopted for regulating the cyber security of consumer smart products considers existing and forthcoming legislation. This includes ensuring compatibility with existing government commitments to take powers to regulate smart appliances.^{[footnote 7]}.

An alternative approach to broadly defining products in scope and specifying product categories that are out of scope as necessary would be to specify classes of products in scope. However, this approach is not desirable as it would require an ongoing effort to monitor the emergence of new product classes, and to update the scope of the regulation to encompass new classes as they are identified. This could potentially lead to new product classes temporarily not being included within scope, exposing consumers and the economy to harm. The government also believes that consumers would expect all consumer products, where feasible, to be covered by regulation.

Question 5

3.  Security requirements

Accepted Answer

3.1 Overview

The security requirements are the technical measures and organisational actions that would be set out in this proposed legislative framework, which would need to be implemented for all products in scope that are supplied in the UK market.

The security requirements have been derived from and align with key provisions within European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1. Government may, over time, add additional security requirements to those set out in this section as and when appropriate, and in consultation with relevant stakeholders. To achieve this, the proposed approach would enable Ministers to set out further security requirements using a flexible mechanism such as secondary legislation.

3.2 Design principles

The following principles have guided the development of the security requirements:

Impact: Government is seeking to better protect consumers from threats that arise from poorly secured connected products. The focus of this approach is on technical controls and organisational policies that have the biggest impact in resolving the most significant security shortcomings.
Applicability: Consumer smart products comprise a diverse range of products. Mandated requirements must be implementable and be appropriate for all products within the scope of this regulation.
Future-proofing: Technologies and threats change rapidly, and the security requirements need to give manufacturers the opportunity to implement modern security solutions. Setting out the details of the security requirements in secondary legislation would provide the flexibility to amend them when needed if, for example, amendments were required to continue to align with European Telecommunications Standards Institute (ETSI) standards.
Minimise burden: Government champions innovation in digital technologies, including for consumer smart products. As such, this regulation could inspire innovation and entrepreneurship in the space of consumer smart products. As mandated regulation is introduced, the government is conscious that the implementation of the regulation may create a new burden, especially for small businesses. The security requirements have been developed with a view to minimising that burden and to avoid unintended consequences.
Alignment with industry standards: The security requirements align with standards recognised by the UK government, including the globally-applicable standard European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.
Testability: The requirements should be unambiguous and testable. Whilst the Code of Practice for Consumer Internet of Things Security contains outcome-focused guidance, the security requirements set out in regulation need to provide clarity for consumers and supply chains.

3.3 Proposed security requirements

Requirement 1 - Ban universal default passwords in consumer smart products

Universal default passwords, frequently in combination with easily guessable values such as ‘admin’, ‘12345’ or ‘password’, have been the primary source of security concerns in consumer smart products, and so this practice must be halted.

The government’s broader ambition is to encourage the use of alternative authentication mechanisms that do not use passwords - not using passwords altogether would be the easiest way to meet Requirement 1. The intention here is not to reinforce the use of passwords.

Box 2 contains the proposed technical wording that would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in the table below Box 2. These terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provisions 5.1-1 and 5.1-2 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.

Note that the government’s intent is to cover all passwords within the device, including those not accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components. Pre-installed software applications (Apps), including those that are 3rd party provided but pre-installed on a device, are in scope.

The government’s intent is also to ban passwords which may be unique per device, but are still easily guessable and therefore still present a risk (for example, if incremental counters are used such as ‘password1’, ‘password2’ and so on). Requirement 1.2 in Box 2 has been designed to guard against this.

Box 2 - Requirement 1 - Ban universal default passwords

Exact wording and approach to be finalised

Requirement 1.1

When ‘passwords’ are used on:

the ‘device’;
a ‘sub-system’ of the ‘device’; or
a software application that has not been installed onto the device by a ‘user’;

the ‘password’ shall be ‘unique per device’ or defined by the ‘user’, unless the device, sub-system or software application is in a pre-initialised state in which network connectivity and functionality are limited to those that are needed for the ‘user’ to set a ‘password’ or another authentication method.

Requirement 1.2

Where pre-installed ‘unique per device’ ‘passwords’ are used, these ‘passwords’ shall be generated with a password generation mechanism that minimises the risk of automated attacks against a class or type of device. Such password generation mechanism shall be of a nature so that:

a ‘password’ cannot be derived solely from knowledge of another password; and
a ‘password’ cannot be derived solely from information that can be determined by communicating with the device over a network; and
a ‘password’ cannot be derived solely from device identification information in combination with a symmetric key.

‘Device identification information’ is meant to include IMEI/MAC (International Mobile Equipment Identity Number / Media Access Control address) and other digital identifiers.

Text above in single quotation marks denotes terms defined in the table below and in Appendix 2 - Proposed Definitions.

Term	Definition
‘password’	a string of characters used for authentication or authorisation purposes. This includes zero-string passwords, but it does not include cases where no password could reasonably be set
‘device’	physical thing, including its hardware and software components, as part of the overall ‘product’
‘sub-system’	part of a device that participates in the operation of the latter
‘user’	natural person
‘unique per device’	unique for each individual device of a given product class or type

Guidance on designing authentication mechanisms is available from multiple expert organisations, including NIST.^{[footnote 14]}. A ‘unique per device’ password can be achieved by it having a reasonable degree of randomness. For example, a key derivation function that uses a manufacturer secret and attribute related to that device could be used. This approach also has the benefit of allowing remote servicing of the device, unless the password is changed.

Requirement 2 - Implement a means to manage reports of vulnerabilities

The intent of this requirement is to provide a transparent route for external parties to report vulnerabilities and receive useful feedback, allowing third parties to report security vulnerabilities to the manufacturer. This practice remains uncommon for manufacturers of consumer smart products, however, this is an essential mechanism to identify and address security shortcomings^{[footnote 15]}..

Box 3 contains the technical wording that the government proposes would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in the table below the box and also in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provision 5.2-1 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.

Box 3 - Requirement 2 - Implement a means to manage reports of vulnerabilities

Exact wording and approach to be finalised

A ‘vulnerability disclosure policy’ shall be publicly available that covers the relevant ‘product’ and that is ‘clear and transparent’. This policy shall provide a process that allows for issues to be reported in an ‘accessible way’ and include, at a minimum:

contact information for the reporting of issues; and
information on timelines for (1) initial acknowledgement of receipt and (2) status updates until the resolution of the reported issues.

Term	Defintion
‘vulnerability disclosure policy’	policy that states the responsibilities of relevant parties to manage vulnerabilities, including the process through which third parties are able to report issues
‘product’	‘device’ and their ‘associated services’
‘clear and transparent’	can be easily understood and states all relevant dependences
‘accessible way’	way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK

This requirement aligns with provision 5.2-1 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1. It is also aligned with ISO 29147 on coordinated vulnerability disclosure.

Implementation will typically require the manufacturer, or relevant entity, to agree and set up a process for managing vulnerabilities across the product’s supply chain in a coordinated manner. Usually, the vulnerability disclosure policy is published on a website. Contact information can be an email address, phone number and/or webform. Information on timelines can be a high-level indication of expected timescales. A non-indicative or implicative example of this could be 24 hours to acknowledge receipt and fortnightly status updates until resolution of the issue.

Further guidance on vulnerability disclosure is available in section 5.2 of the European Telecommunications Standards Institute (ETSI) standard and on the IoT Security Mapping website.

Requirement 3: Provide transparency on for how long, at a minimum, the product will receive security updates

Providing security updates in a timely manner is one of the most important mechanisms to protect consumers. Their purpose is to address security shortcomings that place consumer’s privacy and security at risk and that typically are only identified once the product is on the market. They also enable consumers to make better informed purchasing decisions. When buying a product, consumers need to be able to find out the minimum period of time for which that product will be supported with security updates.

Box 4 contains the technical wording that the government proposes would be the basis for possible measures for this requirement. The text in single quotation marks denotes terms that are defined in Appendix 2 - Proposed Definitions. The terms in single quotation marks are intended to be interchangeable with their expanded definitions. The technical wording in this Box aligns with provision 5.3-13 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.

Setting the defined support period for software security updates can be challenging for long-life appliances that have an expected lifetime that is much longer than that of their digital components. There are a number ways to manage this, for example, creating the possibility to replace just those digital components, the automatic cessation of the product’s internet-connectivity once the support period has ended or providing specific, and clearly understandable mitigation advice to users on possible actions to take if the support period has ended. It should also be noted that the defined support period can always be extended unilaterally by the producer or manufacturer.

Box 4 - Requirement 3 - Provide transparency on for how long, at a minimum, the product will receive security updates

Exact wording and approach to be finalised

The ‘defined support period’ for the relevant ‘product’ shall be published in an ‘accessible way’ that is ‘clear and transparent’.

This clause aligns with provision 5.3-13 of European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.

Term	Defintion
‘defined support period’	minimum length of time, expressed as a period or by an end-date, for which a device will receive ‘security updates’
‘product’	‘device’ and their ‘associated services’
‘accessible way’	way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK
‘clear and transparent’	can be easily understood and states all relevant dependences

Further guidance is available in section 5.3 of the European Telecommunications Standards Institute standard and on the IoT Security Mapping website.

3.4 Guidance on security requirements

It is important that manufacturers and organisations in supply chains have the information they need to implement the requirements set out above. The IoT Security Foundation, an industry expert organisation, are developing guidance based on these security requirements as well as on relevant guidelines of the Code of Practice for Consumer Internet of Things Security and relevant provisions of the ETSI EN 303 645. This is expected to be published later in the year and will be freely accessible. Various expert organisations including GSM Association (GSMA), National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) also produce pertinent guidance materials.

Furthermore, alongside the publication of the Code of Practice for Consumer Internet of Things Security in 2018, the government also commissioned the development of a comprehensive mapping of global smart product security and privacy recommendations. This is updated regularly and available on the IoT Security Mapping website.

Question 6

4.  Obligations

Accepted Answer

4.1 Overview

Many of the security requirements we are proposing to mandate are aimed towards manufacturers of consumer smart products. The rationale for this is that many of the security requirements must be built into the device at the design stage or are dependent on the manufacturer.

Therefore, the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative. If they do not have a UK representative, then the obligation would fall on the importer or any person who brings these products into the UK, supplies them, or makes them available on the UK market. These bodies will be referred to as ‘Producers’ (this term is used in the General Product Safety Regulations 2005, which most manufacturers are familiar with).

As many of these products are made outside of the UK, the government aims to ensure that all products within scope that will be supplied or made available on the UK market, comply with the security requirements. Obligations will also be placed on ‘Distributors’ to ensure that they do not supply or make available any products on the UK market that do not comply to these requirements.

Enforcement actions (as detailed in Section 5 - Enforcement Approach) would be taken against these entities if they fail to meet their obligations under the legislation.

The government’s intention is to broadly align with the existing legislation and definitions for regulating product safety in the UK, as set out in the General Product Safety Regulations 2005. It is intended that this legislation will:

Prohibit ‘Producers’ (which includes manufacturers and importers) from supplying or making a product in scope, available on the market unless the product meets the security requirements.
Place a requirement of ‘duty of care’ on ‘Distributors’ (which covers retailers and also includes online marketplaces) of products in scope to only ‘supply’^{[footnote 24]}. or ‘make available’^{[footnote 25]}. products that meet the security requirements.

4.2 Obligations on the ‘Producer’

The government’s proposed legislative approach would adopt the definition of ‘Producer’ used in existing product safety legislation. The proposed working definition is provided in Box 5.

Box 5 - Working definition of Producer (based on cl.2, p.2 General Product Safety Regulations 2005)

Indicative definition - to be finalised alongside wider approach

‘Producer’ in this working definition means:

the manufacturer of a product, when they are established in the UK and any other person presenting themself as the manufacturer by affixing to the product their name, trade mark or other distinctive mark, or the person who reconditions the product;
when the manufacturer is not established in UK

i) if they have a representative established in the UK, the representative,

ii) in any other case, the importer of the product from outside the UK into the UK (which in some cases can be a retailer).

An indication of possible measures that are representative of the government’s policy intent are provided in Box 6. Alongside the legislation, the government is planning to produce guidance to help businesses within the scope of the legislation understand and implement the security requirements. Proposed material for this guidance document pertaining to ‘Producer’ obligations is also provided in Box 6.

Box 6 - Draft proposal and example guidance content for ‘Producer’ obligations

Wording subject to change - to be finalised alongside wider approach

Possible measures

Guidance

1. A prohibition on a ‘Producer’ from supplying or making a product within scope available in the UK market unless the product is compliant with the security requirements.

2. A requirement on a ‘Producer’ to comply with the enforcement body.

3. A requirement on a ‘Producer’ to provide compliance information to the ‘Distributor’.

* The ‘Producer’ may decide how it will provide a statement of compliance. This may be done in a number of ways.
- Self Declaration (e.g. part of the contract, SLA, formal letter, using the annex from the European Telecommunications Standards Institute (ETSI) standard)
- Assurance (Self Assurance, 3rd party assurance, 3rd party testing)

* Compliance with the standards designated by Ministers is encouraged (which could be European Standard 303 645).

* The ‘Producer’ may decide how best to provide compliance information and the ‘Distributor’ may decide if they are satisfied with the information received. The market for assurance schemes is still in its infancy and while this is changing with the introduction of new products, it would not be appropriate to mandate a method of assurance at this time.

* The ‘Producer’ and ‘Distributor’ may be asked to provide the enforcement body with information on non-compliance including but not limited to; the number of vulnerability reports received, non-compliance reports, status, timescales for resolution and action taken. Further detail to be included in monitoring and reporting guidance and in in agreement with the enforcement body

* The ‘Producer’ may be the manufacturer, if UK based or the UK subsidiary of a global organisation, and the importer, which may in some cases be the retailer. If selling or supplying directly into the UK market, it would be mandatory for compliance information to be presented to the consumer at the point of sale by the ‘Producer’.

* UK manufacturers will not be required to implement the security requirements when exporting goods to non-UK markets (subject to requirements of that market), if they do not supply or make those products available to the UK market.

4.3 Obligations on the ‘Distributor’

This proposed approach would also include a requirement to prevent ‘Distributors’ from, supplying or making available products within scope (see Section 2 - Scope of Regulation) if they are not compliant with the defined security requirements (see Section 3 - Security Requirements), providing an additional layer of protection to restrict the flow of insecure consumer smart products to UK consumers.

These proposals would also see ‘Distributors’ obliged to provide consumers with information pertaining to security requirement 3 (Provide transparency on for how long, at a minimum, the product will receive security updates) at the point of sale. The point of sale would be before the consumer has paid for the product and the sale is completed. A possible definition of ‘Distributor’ is provided in Box 7.

Box 7 - Working definition of ‘Distributor’ (from p.2 Radio Equipment Regulations 2017)

Indicative definition - to be finalised alongside wider approach

‘Distributor’ means any person in the supply chain, other than the manufacturer, authorised representative or the importer, who makes [a product] available on the market.

Note that this proposal would also place this obligation on ‘Distributors’ who act as a marketplace or a platform for consumer sales online.

An indication of possible measures that are representative of the government’s policy intent is provided in Box 8. Alongside the legislation, the government is planning to produce guidance to help businesses within the scope of the legislation understand and implement the security requirements. Proposed material for this guidance document pertaining to ‘Distributor’ obligations is also provided in Box 8.

Box 8 - Draft proposal and example guidance content for Distributor obligations

Wording subject to change - to be finalised alongside wider approach

Draft text

Guidance

1. A requirement on ‘Distributors’ to only ‘supply’ [sell, make available] products within scope that are compliant with the security requirements.

2. ‘Distributors’ shall provide consumers with [certain] information [on the length of time for security updates] at the point of sale to demonstrate that the products within scope meet the security requirements.

3. The ‘Distributor’ shall act with due care in order to identify and ensure compliance with the applicable security requirements and must conduct due diligence. In particular they;
- 3.1 shall not expose or possess for supply, offer or agree to supply, or supply, a product to any person which they know or should have presumed on the basis of the information in their possession and professional opinion, does not comply with the security requirements;
- 3.2 shall, within the limits of their activities, participate in monitoring the security of a product supplied or made available, in particular by -
–3.2.1 passing information on non-compliance or the risks posed by the product, to the enforcement body, the producer and other interested parties,
–3.2.2 keeping the documentation necessary for tracing the origin of the product,
–3.2.3 producing the documentation necessary for tracing the origin of the product, and cooperating with action taken by a ‘Producer’ or an enforcement authority to avoid the risks,
–3.2.4 shall retain evidence or assurance of compliance for as long as the products are being sold by the ‘Distributor’ OR as long as the minimum support period for the product.

4. Where a ‘Producer’ also supplies directly to consumers they will be considered a ‘Distributor’ also and have to meet both sets of obligations.

5. ‘Distributors’ shall not be held liable where they have relied on information provided by the ‘Producer’ and have acted with due care to ensure that the ‘Producer’, or their authorised representative, or the person who provided him with the product has complied with the security requirements.

6. The ‘Distributor’ may be held liable if they cannot provide evidence or are unable to cooperate in response to a reasoned request from the enforcement body to provide the information or documentation necessary to demonstrate conformity or compliance with the security requirements.

* Information on the length of time that security updates are provided must be independent of any existing terms and conditions and should not be undermined by other T&Cs.

* Due diligence activities may include reviewing the statement of compliance provided by the ‘Producer’ to satisfy the ‘Distributor’ that the security requirements have been complied with, through visual checks, or other checks as considered necessary by the ‘Distributor’.

* As referenced above, such statements may include evidence such as:

- Self Declaration (e.g. part of the contract, SLA, formal letter, using the annex from the European Telecommunications Standards Institute (ETSI) standard);

- Assurance (Self Assurance, 3rd party assurance, 3rd party testing)

Term	Definition
supply	supply (definition from General Product Safety Regulations 2005) - ‘supply’ in relation to a product includes making it available, in the context of providing a service, for use by consumers

4.4 Obligations for online actors

The rise of online sales has brought new actors into the supply and distribution chain for consumer smart products. The proposed legislation will look to address those, defining actors and placing responsibilities on them as appropriate.

The proposed approach aims to capture the increasing volumes of insecure consumer smart products bought online, whether these are provided by third parties in the UK, or from overseas.

Research into consumer purchasing channels conducted by YouGov, with 5,421 participants, on a range of different types of consumer smart product, has shown that on average, 74% of purchases of consumer smart products are made online.^{[footnote 27]}.

As online sales are the main channel for the purchasing of consumer smart products, and in order to ensure that the proposed legislation is future-proofed, it is vital that the government defines these entities in this proposed legislation.

The government is proposing to include ‘Distributors’ who act as a marketplace or a platform for consumer sales online, and would also consider entities that enable third party selling and packaging. The proposed legislation would include those who may be considered to be an online platform or marketplace, if they are enabling the buying and selling of insecure smart products.

The proposed legislation will seek to ensure alignment with existing and future product safety and consumer protection legislation.

4.5 Disposal and sustainability

Where an obligation falls on an entity to dispose of any consumer smart device and where all other options are exhausted, the government proposes that reasonable efforts should be made to organise the return of an insecure device and to arrange for the return of the device from the consumer, subject to any sanctions and corrective measures. In circumstances where the device has to be disposed of, it should be properly treated and recycled where possible, in accordance with the Waste Electrical and Electronic Equipment Regulations 2013 or its successor.

As mentioned in the UK Government’s Resources and Waste Strategy 2018 the ‘Producer’ or ‘Distributor’ have responsibilities for the collection and proper treatment of waste electrical items. As such, they must make an arrangement for the collection or return of the device from consumers who have purchased it, or for its disposal and this must be free of charge, as per Part 5 of the Waste Electrical and Electronic Equipment Regulations 2013.

Question 7

5.  Proposed enforcement approach

Accepted Answer

5.1 Overview

The proposed enforcement approach is to designate a regulator to take action against ‘Producers’ or ‘Distributors’ (see Section 4 - Obligations) who supply or make available products within scope (see Section 2 - Scope of Regulation) that are not compliant with the security requirements (see Section 3 - Security Requirements), in order to deter bad practice and reduce the threat posed to consumer security, and potentially to their privacy and safety.

The government is developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation. This body would take action against ‘Producers’ or ‘Distributors’ in instances where the obligations (see Section 4 - Obligations) informed by the security requirements are not met.

Feedback provided in response to this Call for Views will shape the enforcement approach and therefore impact the body considered to be best placed to deliver it.

5.2 Enforcement timescales

Certain actions would remain lawful until a date, determined by the government, at which point enforcement would commence following royal assent. The government proposes that this would be different for each security requirement. The date that any enforcement would commence for each requirement would be based on the estimated time and resource required in order for ‘Producers’ and ‘Distributors’ to comply. Further details of the proposed timescales are included in Box 9. Please note that these are suggested timescales and the government would welcome feedback and evidence to help shape these proposals.

The government commissioned research, which was conducted with 22 manufacturers of consumer smart products, as part of this proposal.^{[footnote 28]}. Manufacturers estimated that familiarisation with the legislation based on mandating the top three provisions of the Code of Practice for Consumer Internet of Things Security would require an average of 15.2 person-days, which varied from “a few hours for the chief product officer” to “over three months” for the whole business.^{[footnote 29]}.

Most respondents believed that the time taken to respond to comply with the requirement of a vulnerability disclosure policy would be under three months.^{[footnote 30]}.

The estimated time to implement a minimum period for security updates for consumer smart products varies by organisation depending on its size, and is spread fairly evenly between zero to 30 months, with the majority able to implement this requirement in under 18 months.^{[footnote 31]}. On average, manufacturers redesign their product packaging every 30.3 months^{[footnote 32]}. and average contract lengths for UK suppliers were just over one year and for non-UK suppliers it was around 31 months.^{[footnote 33]}.

Only one respondent to the survey stated that they manufactured products that used a default password and while they did not disclose the length of time it would take to implement the security requirements, they stated they would either redesign the product to comply, use an alternative authentication method or update the password remotely.^{[footnote 34]}.

Box 9 - Proposed commencement dates of enforcement per security requirement

Indicative detail - approach to be finalised

3 Months following Royal Assent:

Security Requirement 2: Implement a means to manage reports of vulnerabilities

6 Months following Royal Assent:

Security Requirement 3: Provide transparency on for how long, at a minimum, the product will receive security updates. The government’s proposed legislation would require ‘Producers’ to comply with the security requirements within this time. The ‘Distributor’ must not supply, sell or make the products available on the market unless the ‘Producer’ has complied.^{[footnote 35]}.

9 Months following Royal Assent:

Security Requirement 1: Ban universal default passwords

5.3 Enforcement roles and responsibilities

The government is proposing that the enforcement body would intervene when a report is received (from a security researcher, trade body, member of the public, industry, ‘Distributor’, ‘Producer’, etc) to notify the enforcement body that the security requirements have not been complied with. For example;

A ‘Producer’ has not met some or all of the security requirements.
Compliance information provided to the consumer at the point of sale, by either the ‘Producer’ or ‘Distributor’ is incorrect/misleading/not present, e.g. the length of time for security updates.
An investigation by the enforcement body has uncovered that the ‘Producer’ has not met some of the security requirements.

5.4 Non-compliance

The enforcement body may request evidence of non-compliance where possible and test products to verify any claims of non-compliance. The enforcement body may do this by investigating independently, contacting the ‘Producer’ or ‘Distributor’ for evidence, or by approaching any assurance scheme that is used.

When products are sold in-store, investigatory powers may be required to assess the product or conduct a test purchase for Security Requirements 1 (Ban universal default passwords) and 3 (Provide transparency on for how long, at a minimum, the product will receive security updates).

Where smart consumer products are sold online, the enforcement body may test-purchase the products, or request a ‘Distributor’ who has supplied or made the products available on the market, to provide it with all the information and documentation within the ‘Distributor’’s knowledge or possession, which demonstrate that the provisions of the proposed legislation has been complied with.

Where non-compliance has been identified but the ‘Producer’ or ‘Distributor’ responsible is no longer trading and the products pose a significant risk to consumers, the enforcement body would have the powers to remove the products in question from the market.

5.5. Example enforcement actions

Where ‘Producers’ or ‘Distributors’ have not fulfilled their obligations under the legislation, the enforcement body would have access to a range of powers that could be implemented to remove the risk to UK consumers. The government proposes that enforcement powers would be used when voluntary actions have not removed the security risk and any enforcement measures undertaken would be proportionate to the seriousness of the risk, as agreed with the designated enforcement body.

Compliance measures and sanctions

The government is proposing that the designated enforcement body would be afforded a suite of enforcement powers, applicable to ‘Producers’ or ‘Distributors’ of all consumer smart products intended to be presented for sale to consumers in the UK, both online and in-store.

An example of existing corrective measures and sanctions is included in Box 10. These corrective measures and sanctions are largely based on powers in current product safety legislation available to existing regulators of product safety. This information is included in order to give an indication of the types of sanctions and corrective measures that are being explored.

Box 10 - Example of corrective measures and sanctions which could be made available to the designated enforcement body

Indicative detail - approach to be finalised

1. Voluntary and corrective measures

1.1 Supportive action taken to address non-compliance with the intention of counteracting the breach or violation, and reducing future risks. This may include an informal notification of non-compliance and a request for explanation or compliance, as well as support to build compliance into businesses through knowledge and education, compliance advice, guidance, training and technical support.

2. Compliance notice

2.1 A notification to the ‘Producer’ or ‘Distributor’ of non-compliance with the security requirements, requesting a response for action to be taken. The notice is issued by the enforcement body and would require the entity to take action to achieve compliance with the law and/or achieve compliance within a specified period.

2.2 Compliance Notices are used in order to prevent an offence from reoccurring or continuing e.g. they may be considered appropriate to prevent further supply of non-compliant products to consumers or ‘Distributors’.

2.3 A Compliance Notice would specify a date by which any necessary action to remedy non-compliance must be taken based on the individual circumstances.

3. Undertaking

3.1 An Enforcement Undertaking is a voluntary, legally binding agreement which is offered to the regulator where there are reasonable grounds to expect that an offence has been committed. Within an Enforcement Undertaking, the alleged offender agrees to complete specified action within a specified timeframe, e.g.

a) Ensure the alleged offence(s) does not continue or recur (cessation of offending);

b) Ensure the restoration of the position, as far as possible, to what it would have been if the alleged offence(s) had not been committed; (restoration);

c) Ensure that, if appropriate, sums are paid, or action undertaken, to benefit any third parties affected by the alleged offence(s) (Restitution).

3.2 Failure to sign or a breach of a signed Undertaking may result in additional sanctions in line with the enforcement policy of the enforcement body.

3.3 If the enforcement body is satisfied that the Undertaking has been fulfilled they may provide a form of assurance that this has been completed.

4. Enforcement order

4.1 An enforcement body may apply to the County Court or High Court (civil court) for an enforcement order requiring the business to comply with the law. This may include the following consequences:

4.1.1. The order itself. A breach of the order is contempt of court, which carries a maximum penalty of a fine and two years’ imprisonment

4.1.2. An order to take specified measures including changes to business processes

4.1.3. An order to pay the costs of the investigation and the court proceedings

4.1.4 A requirement to publicise the order

5. Security notice

5.1 Suspension notice: If a breach of the regulations is identified, the enforcement body would temporarily ban the supply or sale of the product while tests are undertaken and results are awaited.

5.2 Withdrawal Notice: If a breach of the regulations is identified, the enforcement body would permanently prevent further supply or making available a product believed to be insecure, where it is already on the market (if voluntary action is insufficient or unsatisfactory).

5.3 Recall Notice: If there are reasonable grounds for believing that products that do not comply with regulations have been supplied or made available to consumers, and if voluntary action falls short of that considered necessary and sufficient to remove the risk, the power to serve a recall notice exists. This would require that the entity it is served on to take steps as identified in the notice to organise the return of the product from consumers. Where necessary the enforcement body may encourage Distributors, Users and consumers to contribute to the implementation of this.

6. Forfeiture and destruction

6.1 Where products do not comply with regulation, and if the above measures do not resolve the non-compliance, the enforcement authority may apply to the court for an order for their forfeiture, destruction or scrap.

7. Administrative penalties

7.1 Issue of a penalty notice, in effect imposing a fine directly on a business without the need for court proceedings.

8. Financial penalty

8.1 Non compliance may lead to a fine (to be determined). [Other regulations consider fines of up to 4% of annual worldwide turnover in the preceding financial year.]

The government proposes that the designated enforcement body would seek to implement penalties for non-compliance initially using civil enforcement techniques. Continued non-compliance may lead to criminal action in line with the scale of the offence and subject to sanctions being breached. The designated enforcement body would not seek to push for prosecution in the first instance, but rather take a scalable approach via voluntary action, before utilising sanctions to deter non-compliance of the legislation. A proposed set of decision criteria for deciding on the appropriate enforcement action is outlined in Box 11.

As part of this proposal, the ‘Producer’ or ‘Distributor’ would have the right to appeal a sanction or corrective measure brought against them. This would include an appeals process that aligns with the processes used in existing product safety legislation.

Box 11 - Proposed decision criteria for enforcement action

Indicative detail - approach to be finalised

It is proposed that enforcement action taken in response to non-compliance would be guided by the following factors:

Capacity and willingness (through cooperation and voluntary action) to remedy the issue and the residual risk if they do not
Readiness to accept liability for actions (either publicly or privately to the enforcement body)
Previous compliance record
Timescales involved in responding or resolving the issue of non-compliance
Causes for non-compliance, e.g. limited capacity or capability to comply with security requirements
Occurrence of offence, e.g. is this a first time offence or have there been recurring offences from the same entity
Evidence of non-compliance provided to support the issue or evidence of intentional wrongdoing (either by security researchers or the general public)
Size and impact of non-compliance, e.g. the number of products affected
Scale of non-compliance of the security requirements, e.g. non-compliance of one, two or all security requirements
Emerging risk as a result of non-compliance, and the ability of the exposed vulnerabilities being exploited
If corrective measures, civil sanctions and penalties have been exhausted and if the non-compliance meets the threshold to be classified as a criminal case;
The impact of pursuing criminal prosecution on the judicial system, personnel, supply chains and operations

5.6. Enforcement body considerations

As part of developing the proposed enforcement approach, the government is reviewing the existing regulatory landscape and considering several existing regulators who may be in a position to act as the appropriate enforcement body who would monitor compliance with the legislation, conduct any investigation or testing and take appropriate enforcement action as needed.

Any regulatory or enforcement body would be required to comply with the Regulators Code, which requires a proportionate and evidenced approach and principles as to how regulatory functions are exercised. The designated enforcement body would be required to follow good regulatory practice, including meeting the Regulators Code.

Ideally, the designated enforcement body would have existing structures in place to monitor non-compliance, issue penalties and other sanctions, which would be proportionate and reasonable and based on the level of risk posed to consumers. Support to upskill or recruit individuals with technical cyber security knowledge could also be provided, as necessary.

Box 12 - Example considerations for designating an enforcement body

Indicative detail - approach to be finalised

The criteria that would be considered when identifying the enforcement body would include, the:

scope and alignment of the proposed legislation with the relevant expertise of the enforcement body;
approach used to regulate against non-compliance;
capacity and resources available to the enforcement body to conduct enforcement activities;
capabilities and skills of the enforcement body to conduct enforcement activity;
existing relationships with the stakeholders who would be subject to the provisions of the legislation;
future scope of the enforcement body to enforce additional security requirements;
funding model used to operate the enforcement approach and its sustainability, and
monitoring and reporting capabilities.

Box 13 - Example powers for the enforcement body

Indicative detail - approach to be finalised

Although these are subject to change, the powers of the enforcement body could include, the:

ability to fund testing in testing houses;
ability to have a central reporting mechanism for use in instances where initial reports to the ‘Producer’ have not resulted in action, or if products are identified from manufacturers that have no mechanism for vulnerability disclosure. This central reporting mechanism would enable security researchers, consumer groups, the general public and others, to report vulnerabilities in products within scope;
capability to produce guidance materials for product compliance assessments to ensure compliance;
ability to allocate an enforcement team with a responsibility of testing and monitoring products within scope;
power to make a purchase of a product in order to test it or authorise an officer of the enforcement body to make a purchase of a product;
ability for an officer of the enforcement body to enter and search any premises other than premises occupied only as a person’s residence and inspect any record or product;
ability to obtain and use search warrants and other such authorities;
powers to prohibit the obstruction of officers and take action accordingly.

In addition to the proposals outlined above, the technical implementation of the enforcement approach would be informed by existing structures and infrastructure already in place within the designated enforcement body. The details of the enforcement activities would be agreed in collaboration with the designated enforcement body.

5.7. Enforcement body

Designation of an appropriate enforcement body, or bodies, and the regulatory model, will be considered subject to the wider feedback and evidence received in this Call for Views. Identification of a suitable enforcement body will require further engagement with a number of existing enforcement bodies, government departments and key stakeholders to understand the regulatory landscape, further discovery with a range of existing enforcement bodies and the collation of supporting information on existing activity taking place.

Conversations have been held with a number of existing enforcement bodies to scope the regulatory landscape and to solicit feedback and invite input into these proposals. These bodies include those that DCMS is already engaging with in other policy areas to benefit from lessons learned, those who are currently undertaking similar enforcement activities in relation to existing product safety regulations and also bodies who are part of the wider landscape, but may have an interest in these proposals.

The organisations that have been spoken to are listed below, however it is important to note that this is not a shortlist of candidates, as some have been engaged in order to solicit input and share learning only. However, further, more detailed conversations with a selection of these regulators and other key stakeholders are planned. The enforcement bodies that have been engaged to date include:

The Office for Product Safety and Standards in the Department for Business, Energy and Industrial Strategy, which is an enforcement authority for the safety of a wide range of consumer products in the UK, including the General Product Safety Regulations.
National and Local Trading Standards representatives in relation to their cross border, regional, national or local focus to protect consumers and provide advice. Local authority Trading Standards have powers under Schedule 5 of the Consumer Rights Act 2015.
Ofcom as the enforcement authority for the use of wireless devices [under the Radio Equipment Regulations 2017 and Electromagnetic Regulations 2016], in its role to protect and manage the radio spectrum.
The Information Commissioner’s Office: UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Sponsored by DCMS.
The Financial Conduct Authority, which is the regulator responsible for consumer protection in the financial markets.
The Competition and Markets Authority has a range of powers and functions, including the enforcement of competition and consumer law, the regulation of mergers, and conducting market investigations.

Question 8

Privacy notice

Accepted Answer

The following is to explain your rights and give you the information you are entitled to under the Data Protection Act 2018 and the General Data Protection Regulation (“the Data Protection Legislation”). This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the survey.

1 - The identity of the data controller and contact details of our Data Protection Officer

The Department for Digital, Culture, Media and Sport (“DCMS”) is the data controller. The Data Protection Officer can be contacted by emailing dcmsdataprotection@dcms.gov.uk. You can visit the DCMS website to find out more about how DCMS uses and protects your information.

2 - Why your personal data is being collected

Your personal data is being collected as an essential part of the Call for Views process, so that the government can contact you regarding your response and for statistical purposes, such as to ensure individuals cannot complete the survey more than once.

3 - The legal basis for processing personal data

The Data Protection Legislation states that, as a government department, the department may process personal data as necessary for the effective performance of a task carried out in the public interest. i.e. a Call for Views.

4 - How your personal data will be shared

Copies of responses may be published after the survey closes. If this happens, the government will ensure that neither you nor the organisation you represent are identifiable, and any response used to illustrate findings will be anonymised.

Qualtrics is the online survey platform used to conduct this survey. They will store the data in accordance with DCMS instructions and the Qualtrics privacy policy can be found here.

If you want the information that you provide to be treated as confidential, please contact foi@dcms.gov.uk. Please be aware that, under the Freedom of Information Act (FOIA), there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain why you regard the information you have provided as confidential. If the government receives a request for disclosure of the information, the government will take full account of your explanation, but cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.

5 - How long your personal data will be kept for

Your personal data will be held for two years after the survey is closed. This is so that the department is able to contact you regarding the result of the survey following analysis of the responses.

6 - Your rights in relation to access, rectification and erasure of data

The data that is being collected is your personal data, and you have considerable say over what happens to it. You have the right:

to see what data we have about you:
to ask us to stop using your data, but keep it on record;
to have all or some of your data deleted or corrected;
to lodge a complaint with the independent Information Commissioner if you think we are not handling your data fairly or in accordance with the law.

You can contact the ICO via the ICO website, by telephone 0303 123 1113 or by post:

ICO
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

7 - Additional information

Further to the above, you should also be aware of the following:

Your personal data will not be sent overseas.
Your personal data will not be used for any automated decision making.
Your personal data will be stored in a secure government IT system.

Question 9

Appendix 1. Accompanying questions

Accepted Answer

The questions set out below seek your feedback on the government’s proposed approach and for stakeholders to raise any gaps or comments. Respondents are invited to provide answers to these questions using the online feedback survey for this Call for Views. Alternatively, respondents can download and populate the feedback form on the main page and email responses directly to securebydesign@dcms.gov.uk.

Demographic questions

1) Are you responding as an individual or on behalf of an organisation?

a) Individual

b) Organisation

2) [if individual] Which of the following statements best describes you?

a) Cyber security professional

b) Employer/employed in the consumer goods sector

c) Professional in another sector

d) Public sector official

e) Academic

f) Interested member of the general public

g) Other

3) [if organisation] Which of the following statements best describes your organisation? Please select all that apply

a) Producer of consumer smart products

b) Distributor / seller of consumer smart products

c) Cyber security provider

d) An academic or educational institution

e) A trade body representing ‘Producers’

f) A trade body representing ‘Distributors’

g) Other

4) [if organisation] Which of the following best describes your organisation?

Note that this information will be used to enable a view of how these proposals will impact businesses based in different countries in the UK, as well as those based outside of the UK

a) UK only based organisation [conditional follow-up - which country is your organisation’s head office based in? England / Scotland / Wales / Northern Ireland]

b) Multinational organisation based in the UK [conditional follow-up - which country is your organisation’s head office based in? England / Scotland / Wales / Northern Ireland]

c) Multinational organisation based in an EU country outside of the UK, which operates in the UK [please specify the country your organisation’s head office is based in]

d) Multinational organisation based in a non-EU country outside of the UK, which operates in the UK [please specify the country your organisation’s head office is based in]

e) Other

5) [if organisation] Which one of the following best describes the sector of your organisation?

a) Cyber security

b) Production / Manufacturing

c) Distributor / Wholesale / Retail

d) Telecom providers

e) Information & communication technology (ICT)

f) Health

g) Critical National Infrastructure and National Security - please specify additional details

h) Transport & Storage (inc. postal)

i) Finance & insurance

j) Property

k) Construction

l) Business administration & support services

m) Education / Academia

n) Public administration & defence

o) Arts, entertainment, recreation

p) Agriculture, forestry & fishing

q) Civil society

r) Accommodation & Food services

s) Other services - please specify

6) [if organisation] Including yourself, how many people work for your organisation across the UK as a whole? Please estimate if you are unsure.

a) Fewer than 10 people

b) 10–49

c) 50–249

d) 250–999

e) 1,000 or more

7) [if organisation] What is the name of the organisation you are responding on behalf of?

8) Are you happy to be contacted to discuss your response and supporting evidence?

9) [if yes to 8] Please provide a contact name and email address below.

Scope of regulation questions

10) To what extent do you agree or disagree that the following categories of conventional IT products should be included within the scope of the proposed regulation?

a) Laptops [scale from strongly disagree to strongly agree]

b) PCs [scale from strongly disagree to strongly agree]

c) Smartphones [scale from strongly disagree to strongly agree]

Please explain the reasons for your answers to the above question:

11) The ambition of this regulation is to establish a robust baseline across all smart connected products and to protect consumers and the wider economy from a range of harms. Please detail any unintended impacts that this proposed regulation would have, beyond the ambition stated above, to your organisation / the wider economy.

Please think about the proposed definitions of ‘Producers’, ‘Distributors’ and any other organisations in the consumer smart product supply chain when answering this question. Please clearly state which types of organisation you are referring to in your response.

a) Producers

b) Distributors

c) Other organisations (please specify)

d) Wider economy

12) Please share your views on the suggested supplementary guidance to help businesses to implement the proposed security requirements provided in Section 4 - Obligations. Are there any other forms of guidance you feel should be included?

13) The proposed approach suggests using a broad definition of network-connectable product classes which could be in scope and specifying specific categories of products that are out of scope.

a) Do you agree or disagree with this suggested approach? Please explain your answer.

b) Please share any views you have on alternative wording, approaches, or ways to improve the proposed approach

Security requirements feedback

14) Please outline below any further feedback on the security requirements, as set out in section 3.3 of the Call for Views.

Obligations questions

15) This proposal requires an exchange of information between ‘Producers’ and ‘Distributors’ in the supply chain to confirm compliance:.

4.2 - Box 6 - Draft proposal and example guidance content for ‘Producer obligations’

“A prohibition on a ‘Producer’ from supplying or making a product within scope available in the UK market unless the product is compliant with the security requirements.”

This places an obligation on ‘Producers’ to evidence compliance with the security requirements to the ‘Distributors’.

a) Should this information exchange approach set out in box 6 be adopted? Please explain your answer.

b) Should ‘Distributors’ also have obligations as part of this information exchange? Please explain your answer.

16) The proposed approach intends to include entities who supply or make products available online, e.g.those who act as a marketplace, a platform for consumer sales online or provide either first or third party sales. Do you agree with this approach? Please explain your answer.

17) Should the definitions such as ‘Producer’ and ‘Distributor’ (see box 5 and 7) in existing product safety regulations (such as the Radio Equipment Regulations 2017, and the General Product Safety Regulations 2005), be used as a basis for the definitions in this proposal?

if no - please provide details of any alternative approaches that could be considered

Enforcement approach questions

18) Box 10 describes a suite of example corrective measures and sanctions which could be made available to the enforcement body in the event of non-compliance. These are listed below (see Box 10 for further details):

Voluntary and Corrective Measures
Compliance Notice
Undertaking
Enforcement Order
Security Notice
Forfeiture & Destruction
Administrative Penalties
Financial Penalty

a) Is this proposed suite of corrective measures and sanctions proportionate overall? Please explain your answer.

b) Are each of the potential measures above an effective response or deterrent to non-compliance? Please explain for each of the 8 proposed measures.

19) Are there significant barriers that would prevent your organisation from becoming compliant with the security requirements within the suggested timescales for compliance (detailed in Box 9 and summarised below)?

Security requirement 1

Ban universal default passwords - 9 months

Security requirement 2

Implement a means to manage reports of vulnerabilities (providing a publicly available vulnerability disclosure policy which includes at least contact information for the reporting of issues, and information on timelines for initial acknowledgement of receipt and status updates until the resolution of the reported issues) - 3 months

Security requirement 3

Provide transparency on for how long, at a minimum, the products will receive security updates - 6 months

[if Yes, what are the barriers for implementation to the suggested timescales, how much time would be required for your organisation to become compliant with the security requirements (in months) and could these barriers be mitigated?]

20) Please provide details of any additional costs to your organisation that would result from implementing each of the security requirements in our proposed approach:

If your organisation is both a ‘Producer’ and ‘Distributor’ of consumer smart products, please indicate explicitly which aspect of your organisation’s operations these costs / benefits would impact in your answers. Please also indicate whether the costs cited are one-off, or would be incurred annually.

a) Ban universal default passwords

b) Providing a means to manage reports of vulnerabilities (providing a publicly available vulnerability disclosure policy which includes at least contact information for the reporting of issues, and information on timelines for initial acknowledgement of receipt and status updates until the resolution of the reported issues)

c) Provide transparency on for how long, at a minimum, the product will receive security updates

d) Please provide details of any benefits to your organisation that would result from the implementation of these security requirements.

21) Please estimate any additional reporting impacts or costs to your organisation resulting from:

a) The proposed obligation for ‘Producers’ to demonstrate compliance with the security requirements to ‘Distributors’;

b) The requirement for ‘Distributors’ to process information from ‘Producers’;

When answering this question, where possible, please clearly describe any costs or wider impacts, including job roles, the estimated number of hours of staff time associated with each job role, total cost estimates per product line (specifying whether one-off or annual) and overall estimated total annual cost to your organisation.

c) Are there any ways we could tailor our approach to mitigate these reporting impacts?

22) To what extent do you agree with the proposed approach within 5.6 Enforcement body considerations?

a) Do you agree with the approach in Box 12 (Considerations for designating an enforcement body)?

b) Are you supportive of the approach in Box 13 (Example powers for the enforcement body)?

Question 10

Appendix 2. Proposed definitions

Accepted Answer

Please note that all definitions provided either reflect the government’s proposed policy approach, or are indicative of existing approaches, standards, or regulations that represent the intent of this proposed legislation. These definitions are not final and remain subject to change.

The following terms form part of the scope statement and the security requirements. Text in single quotation marks in relevant sections denote terms that are defined here. The definitions provided here are similar to those within the European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1.

‘accessible way’: way that omits unnecessary barriers to obtaining or reporting information, including to consumer in the UK

This proposal aims to prevent the use of premium-rate phone numbers to access the defined support period and for this to be excessively hidden on a website. This proposal also aims to prevent websites from being exclusively in a foreign language when the device is intended for the UK market.

‘associated service’: digital service that, together with the device, are part of the overall ‘product’ and that are required to provide the ‘product’s intended functionality, for example mobile applications and cloud storage
‘clear and transparent’: can be easily understood and states all relevant dependences
‘defined support period’: minimum length of time, expressed as a period or by an end-date, for which a device will receive ‘security updates’
‘device’: physical thing, including its hardware and software components, as part of the overall ‘product’
‘network-connectable’: has one or more network interface that can receive and/or transmit digital data

‘Digital’ to exclude purely analogue audio equipment.

‘password’: a string of characters used for authentication or authorisation purposes. This includes zero-string passwords, but it does not include cases where no password could reasonably be set.

For the purposes of this legislation the following are not defined as passwords:

Cryptographic keys used for encryption of data on a device.
API keys, unless it is the sole form of authentication to the device.
A default PIN, password or key used for Bluetooth® or Zigbee® pairing.

Default PINs, passwords or keys for Bluetooth® or Zigbee® pairing are excluded from the definition of passwords for legacy reasons. This authentication approach remains commonplace, but it brings security challenges and better mechanisms are available. At this time, where possible it is recommended to use a secure method of authentication. A future update to this regulation will likely remove this option.

‘product’: device and their associated services
‘security updates’: software updates that improve the security of the product such as by addressing a security vulnerability
‘sub-system’: part of a device that participates in the operation of the latter
‘Supply’ (GPSR) - ‘supply’ in relation to a product includes making it available, in the context of providing a service, for use by consumers;
‘unique per device’: unique for each individual device of a given product class or type
‘user’: natural person

This prevents default passwords to be changed by bots in requirement 1.1.

‘vulnerability’: weakness of software, hardware, or online service that can be exploited
‘vulnerability disclosure policy’: policy that states the responsibilities of relevant parties to manage ‘vulnerabilities’, including the process through which third parties are able to report issues.

Cookies on GOV.UK

Ministerial foreword

Matt Warman MP

Matt Warman

Document guidance

What is the purpose of this document and who is it for?

How should I read this document?

Supplementary technical detail

Box X - Description of proposed technical detail

Definitions

How should I provide feedback?

How can I access the research reports cited in this document?

1. Overview of proposed legislative approach

2. Scope of regulation

Products in scope

Products out of scope

3. Security requirements

3.1 Overview

3.2 Design principles

3.3 Proposed security requirements

Requirement 1 - Ban universal default passwords in consumer smart products

Requirement 1.1

Requirement 1.2

Requirement 2 - Implement a means to manage reports of vulnerabilities

Requirement 3: Provide transparency on for how long, at a minimum, the product will receive security updates

3.4 Guidance on security requirements

4. Obligations

4.1 Overview

4.2 Obligations on the ‘Producer’

4.3 Obligations on the ‘Distributor’

4.4 Obligations for online actors

4.5 Disposal and sustainability

5. Proposed enforcement approach

5.1 Overview

5.2 Enforcement timescales

3 Months following Royal Assent:

6 Months following Royal Assent:

9 Months following Royal Assent:

5.3 Enforcement roles and responsibilities

5.4 Non-compliance

5.5. Example enforcement actions

Compliance measures and sanctions

1. Voluntary and corrective measures

2. Compliance notice

3. Undertaking

4. Enforcement order

5. Security notice

6. Forfeiture and destruction

7. Administrative penalties

8. Financial penalty

5.6. Enforcement body considerations

5.7. Enforcement body

Privacy notice

1 - The identity of the data controller and contact details of our Data Protection Officer

2 - Why your personal data is being collected

3 - The legal basis for processing personal data

4 - How your personal data will be shared

5 - How long your personal data will be kept for

6 - Your rights in relation to access, rectification and erasure of data

7 - Additional information

Appendix 1. Accompanying questions

Demographic questions

Scope of regulation questions

Security requirements feedback

Obligations questions

4.2 - Box 6 - Draft proposal and example guidance content for ‘Producer obligations’

Enforcement approach questions

Security requirement 1

Security requirement 2

Security requirement 3

Appendix 2. Proposed definitions

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK