Written evidence submitted by Dr Subhajit Basu, Associate Professor, School of Law, University of Leeds

I am writing as an academic working in the area of regulation of emerging technologies.  I am an Associate Professor (Law) at the University of Leeds. I have published on different aspects of the regulation of cyberspace and contributed to the critical policy debate around AI, Big Data, health data, and autonomous systems.

What has been or will be the most important impacts of increasingly prevalent smart and connected technology in our lives, including in the home, in the workplace and our towns and cities, and are they necessarily better than current systems?

Smart and connected technologies have begun to permeate almost every aspect of human activities, and these technologies will seriously impact our lives soon. Within the last decade, smart technologies have significantly improved our society. One of the earliest and most important advancements has been the introduction of medical emergency response systems. These systems can support health in everyday living. Smart devices such as smartwatches can self-monitor personal activity, obtain feedback based on activity measures, allow in-situ surveys to identify behaviour patterns, and support bi-directional communication with health care providers[1]. This technological advancement is heavily based on advances in machine learning and enhanced data analytics capability, which significantly affects our privacy. The most exciting, disrupting and portend aspect of the smart world is a future full of personal data. Smart applications can independently create potentially personal data. Even more alarming is the prospect that these technologies have converted everyday devices into personal data because of their ability to reveal information about our daily activities. There are two significant problems here: any data, however remote, can be linked to a person and with a high degree of precision. It also means any data can be interpreted as personal data. Second, if we accept the benefits of a smart system's autonomy, we must accept the consequences of independence and unpredictability that comes with such autonomy. The choice is between submitting to automation or refusing to have a decision made at all. Apart from practical problems, the proliferation of personal data could undermine data protection regimes by calling into question the value that personal data protects. This technology is influencing privacy not just by changing the accessibility of information but also by changing the privacy norms themselves. However, the attribution problems and their implications for accountability and responsibility are even more complex.

Are there any groups in society who may particularly benefit from or be vulnerable to the increasing prevalence of smart technology, such as young or elderly people, people with disabilities and people likely to be digitally excluded?

Smart technologies are having a tremendous impact on our daily lives. However, this impact has not affected everyone equally. There are various benefits to using these technologies in life, such as increased productivity through automation and self-monitoring health. However, how the smart devices or the technologies influence individuals would be different according to various characteristics of the technology adopters. Older adults may benefit from smart technologies to support their everyday activities and compensate for age-related changes. This technology can facilitate ageing-in-place by assisting patients with emergency assistance, fall prevention/detection, reminder systems, medication administration and help for those with hearing, visual or cognitive impairments[2]. The voice-assisted smart technologies (virtual personal assistants) can potentially narrow the digital divide for visually-imparted people. However, it is also important to note that the advent of these technologies could create another layer of exclusion composed of a skill gap and a gap in physical access to smart technologies for socially and economically disadvantaged groups. Academic research has shown that non-users are increasingly older, less educated, and more likely to be unemployed, disabled, and socially isolated[3]. The most formidable hurdle, unfortunately, comes from the harsh economic realities that drive the information society means that some of these technologies are expensive and would remain out of reach (affordability) for a significant portion of the population. There have to be policies and action plans to ensure that individuals and disadvantaged groups have access to smart technologies and the skills to use them and are therefore able to participate in and benefit from them.

How can we incentivise or encourage design that is safe, secure, environmentally- and user-friendly and human rights compliant?

Trust in smart technologies cannot always be taken for granted, as we cannot simply assume that these devices will be well-designed and implemented, behave correctly and therefore conform to the specification; explicit assurances and guarantees must be provided to this effect. It can be achieved by developing a notion of responsibleness through transparency; at present, the way principles and governance processes are designed and operationalised requires addressing the current top-down power imbalances brought about because of the non-transparent nature of this industry and the consequent lack of representation and inclusivity in design choices policy and oversight processes. The aim should be to ensure that the smart technologies factor consumer trust natively into the design (trust and security by design) and that people-centric trusted systems are designed and developed. For example, devices could be designed to limit traffic data (from smart devices) outside the home or network environment. However, the same traffic data may be needed to train machine learning algorithms, or the device might require a connection to cloud services for optimal functioning. This suggests two outcomes. On the part of developers and designers, there is little incentive to adopt privacy by design because of its impact on innovation. On their part, users are still stuck in the classic dilemma of choosing utility over privacy, as they cannot reasonably block smart traffic from leaving their home or network environment without making their devices unusable or limiting their functionality. Therefore, implementing privacy by design could mean a choice between getting privacy settings right and impairing the functionality of systems and devices. Hence, designing and building trustworthy, smart and connected technologies requires mechanisms to explicitly allow the system to account for its behaviour and actions and concomitant responsibilities flowing from these concerning achieving its goals and design objectives within a specific context that encompasses its principal users and the environment. Irrespective of the environment in which they operate, smart and connected technologies need to monitor their actions and operations, deal with errors, self-heal, and learn and modify their behaviour to remain resilient and, in this context, understand failure to fulfil responsibilities. However, the development of responsible, smart technologies cannot be viewed exclusively as a technical challenge.

What are the key short- and long-term risks and threats, and how can we ensure the devices, systems and networks of individuals, businesses and organisations are digitally-literate and cyber secure?

Cybersecurity concerns have presented significant challenges for smart technologies. This is because privacy-preserving large-scale data analytics are crucial to advancing the productivity and effectiveness of our digital society while preventing severe threats to citizens and enterprises. When everything is connected, everyone is vulnerable. Smart technologies have increased the range and scope of devices involved in financial, medical and social data flows. Smart technologies have their fair share of risks and disadvantages.  Any device connected to the internet is susceptible to a cyberattack. As smart devices can interact directly with the real world through sensors, any vulnerability on one device can create a huge security risk, such as opening locks at home and providing personnel, processes and other devices with access, management and monitoring capabilities. The damage incurred to the device and data can be significant. Smart technologies (and their users) can quickly become victims of cyber-extortionists responsible for the ransomware epidemic. Cyber-extortionists either steal the data to sell to other criminals or hold it as a ransom for a profit. A ransomware attack can impact an organisation through the three main aspects of information security: confidentiality, integrity and availability. The sheer number of attacks indicates that anti-ransomware defences do not work or have limited effectiveness. A consensus is growing that cyber-security is not entirely achievable by solely focusing on technological aspects. As ransomware becomes commoditised, it has raised questions about the efficacy of the regulatory structures. Access control and data encryption are essential preventive cyber security measures. However, adequate protection of networks, datacentres and smart appliances require defensive measures capable of detecting and fending off threats and attacks in the form of intrusion, DDoS and other forms of advanced persistent threats. However, technology-based defensive measures are limited and may only prove an intermediate measure until the perpetrators can adapt and circumvent them. The protection and effective countering of such attacks requires a better legal framework defining crime and its severity to provide the necessary foundation for subsequent prosecution and criminal justice. Nevertheless, for behaviour to be classified as a crime and prosecuted, laws must outline the illegality of the behaviour and possible sanctions involved.

How will current geopolitical concerns influence domestic consumers, e.g. regarding standards of imported goods or in how we can deal with cyber threats?

The COVID-19 pandemic and the Russian invasion of Ukraine have laid bare the weak points in international trade, particularly over-dependence on a particular country in the supply chain and globalisation. It is well documented that various governments, typically working with private sector companies in their respective countries, have incorporated spyware, malware or similar programs in computer-based products that are then exported worldwide.[4]Cybersecurity concerns are not just a regulatory compliance issue but rather a geopolitical issue as it has presented substantial national security challenges. Hence there must be a national cybersecurity strategy to protect not just individual consumers but society as a whole[5], including the possible prohibition of products coming to the country from questionable jurisdictions. Furthermore, many smart devices, particularly those manufactured outside the country, do not have adequate inbuilt cybersecurity measures. In this respect, it is essential to reiterate that "security by design" is pivotal. Product Security and Telecoms Infrastructure Bill is a step in the right direction. This legislation proposes to regulate the cyber security of all consumer network-connectable devices and their associated services. The manufacturers of these devices will need to comply with three new security requirements. These are; a ban on universal default passwords; a vulnerability disclosure policy to allow any security issues to be reported in an accessible way; and a requirement to provide transparency, at the point of sale, regarding the minimum amount of time during which a product will receive security upgrades. The new law will place obligations on manufacturers and distributors, enforced by a body with powers to impose a range of sanctions, including criminal prosecution.  However, the Computer Misuse Act needs updating as it cannot deal with evolving cyber threats.

Do existing frameworks, like data protection legislation and the Public Security and Telecommunications Infrastructure Bill, adequately address concerns with smart technology, and if not, how could they be changed?

There is a growing sentiment within the legal academic community that existing data protection laws are adequate for dealing with the challenges and potential risks to privacy and rights to equal treatment that smart and connected technologies will generate. However, a broad and growing literature makes it clear that designing privacy and sharing control is complex. In many cases, people do not understand the meaning of privacy settings in their services. Arguably the most critical challenge for privacy associated with smart technologies is understanding, managing and regulating the flow of information between smart devices. This will more than likely require something more hard-edged than the consent approach that current data protection law currently tests on: but, as yet, legal scholars are still struggling to articulate what this something more might be. There is a need to explore alternative, more robust and trust-enhancing approaches to the flow of personal information generated by smart technologies. In this respect, it might be helpful to focus the analytical exploration of privacy via Nissenbaum's influential theory of privacy as contextual integrity[6]. For example, suppose a smart device only needs to know whether the user is home. In that case, the application should only get that single information instead of blanket access to a user's location data. This highlights the mismatch between the level of data accessed and the level of data required. Also, the governance challenges need to be considered in the current construction of governance frameworks to avoid them becoming quickly obsolete. For example, given the potential difficulties with safety, reliability and predictability, what are the thresholds for allowing smart technology to be deployed? Data protection vulnerabilities in the existing legal framework should be examined. Smart technologies should develop mechanisms that enable a system to monitor and account for its behaviour and actions. The proposed Product Security and Telecommunications Infrastructure Bill, which aims to improve the UK's resilience to cyber attacks, is a step in the right direction, as it is well known that the voluntary Code of Practice for Consumer IoT Security was never entirely implemented by the industry. The Bill needs to expand the definition of smart and connected devices to provide better protection.