Skip to main content

Security of Government Devices

Volume 828: debated on Tuesday 21 March 2023

Statement

The following Statement was made in the House of Commons on Thursday 16 March.

“As this week’s integrated review refresh demonstrated, the Government are strongly committed to bolstering our national security to meet the challenges of both today and tomorrow. We take the security of government devices very seriously, and we are constantly working to ensure that those devices remain as safe and secure as possible. As part of that effort, I recently commissioned a review by our cybersecurity experts to assess the risks posed by certain third-party apps on government devices and in particular the installation and use of TikTok. I know that there has been a lot of interest in this issue in the House, so I wanted to take this opportunity to update Members.

The review has concluded and it is clear that there could be a risk around how sensitive government data is accessed and used by certain platforms. As many colleagues will know, social media apps collect and store huge amounts of user data, including contacts, user content and geolocation data. On government devices, that data can be sensitive, and so today we are strengthening the security of those devices in two key respects.

First, we are moving to a system where government devices will only be able to access third-party apps that are on a pre-approved list. This system is already in place across many departments, and now it will be the rule across government. Secondly, we are also going to ban the use of TikTok on government devices. We will do so with immediate effect. This is a precautionary move—we know that there is already limited use of TikTok across government—but it is also good cyber hygiene.

Given the particular risk around government devices that may contain sensitive information, it is both prudent and proportionate to restrict the use of certain apps, particularly when it comes to apps where a large amount of data can be stored and accessed. This ban applies to government corporate devices within ministerial and non-ministerial departments, but it will not extend to personal devices for government employees or Ministers or the general public. That is because, as I have outlined, this is a proportionate move based on a specific risk with government devices. However, as is always the case, we advise individuals to practise caution online and to consider each social media platform’s data policies before downloading and using it. Of course, it is the case that Ministers receive regular security briefings and advice on protecting data on their personal devices and on mitigating cyber threats.

We will also be putting in place specific, very limited exemptions for the use of TikTok on government devices where it is required for operational reasons. Those exemptions will only be granted by security teams on a case-by-case basis, with ministerial clearance provided as appropriate. Overall, this approach aligns with action taken by allies, including the United States, Canada and the EU.

Our security must always come first. Today we are strengthening that security in a prudent and proportionate way, and I commend this Statement to the House.”

My Lords, I welcome the announcement of this ban but the question of why it has taken the United Kingdom so long to come to the same conclusions as many of our closest allies remains. As Angela Rayner noted in the Commons just weeks ago, the Secretary of State for Science, Innovation and Technology said that there was “no evidence” for a ban being brought forward. So what changed? Has there been a specific incident that prompted a shift in policy? I hope the Minister will be able to answer that. Oliver Dowden, the Chancellor of the Duchy of Lancaster, was honest that the previous list of banned apps did not apply to every government department. Can the Minister outline which departments were exempt and why?

A number of MPs asked about the rules for Ministers’ personal devices. Given recent revelations about the scale and use of WhatsApp and personal email across government, the Chancellor of Duchy of Lancaster said that any substantive government business should be done on official devices. Will new guidance on the use of personal devices and WhatsApp clearly define what is meant by “substantive government business” or will that be a matter of personal interpretation? We have already heard Grant Shapps appear to say that he wants to continue to use his own personal device and use “TikTok”.

I did ask someone earlier what TikTok is—I thought I was a modern person, but clearly not.

Can the Minister tell us whether this sort of interpretation is going to involve a change in the Ministerial Code? A Minister may not think sharing a draft Written Ministerial Statement on personal email qualifies either as substantive business or as a security risk, but the Home Secretary was of course temporarily forced out after sending such material to the wrong people. Oliver Dowden also talked about the granting of exemptions for operational reasons. Can the Minister provide an example of why a banned app may be deemed necessary? If she cannot today, could she write with such an example?

This debate takes place in the context of wider concerns about some forms of Chinese-made technology, including CCTV camera systems. On 2 February, my noble friend Lord Bassam of Brighton asked when the Government would commence important product security provisions under the Product Security and Telecommunications Infrastructure Act, which is intended to protect users of smart products such as CCTV doorbells. The noble Lord, Lord Parkinson of Whitley Bay, was unable to provide any date. I hope the Minister can do so today. The Government said they intended to bring the first half of that Act into force as soon as practicable, so why are we still waiting?

My Lords, as a long-standing deputy chair of the all-party China group, I welcomed the proportionate approach taken in the Government’s statements in the integrated review refresh about relations with China. In the face of the current human rights position in Xinjiang and the situation in Hong Kong, however, this should not change any time soon.

On these Benches, we are in strong agreement with those who consider that the Government could and should have been a great deal more strategic about relationships with sensitive Chinese suppliers—whether internet or data based, hardware or software related—in the run-up to this Statement. This is a one-off Statement about TikTok, a social media company. It would be good to see the assessment and the evidence of potential cybersecurity issues which the Government have not yet—as far as I know—produced.

However, when it comes to makers of surveillance cameras, as the noble Lord, Lord Collins, said, the Government appear far more reluctant to act. The Surveillance Camera Commissioner, Professor Fraser Sampson, has been very clear in his warnings, in particular about Hikvision and Dahua cameras, which, as far as we know, are used extensively in Xinjiang for surveillance purposes and pose security risks here, even when live facial recognition is not enabled.

Just last week, we saw Tesco lead the way in the private sector and order the removal of these cameras from its stores. The Government have simply ceased to install them. Why are they not directing their removal, particularly in police forces? Have they mapped exactly where on the government estate and in other spaces these cameras remain?

Regarding TikTok, why act so late when the EU and US, as the noble Lord, Lord Collins, mentioned, acted earlier? Presumably they have the same security information. When did the evidence emerge that has led to this ban? Will the Government publish the review by cybersecurity experts which assesses the risks posed by these third-party apps on government devices?

As the noble Lord, Lord Collins, also mentioned, why are private devices used by government Ministers not covered? I note that Oliver Dowden repeated that position last week. After all, we know there has been extensive use of private devices by Ministers, particularly —dare I say—among former Health Ministers. What assessment of this aspect has been made? Which government departments and public bodies are actually covered? What is the process for drawing up the promised approved list of apps? What criteria will be used?

As many said in the Commons, this looks like whack-a-mole; the Statement is no substitute for a coherent cross-government strategy. Why do the Government not now move, for instance, to include the capture of biometric data in the definition of “critical national infrastructure”? Questions have been raised recently about Chinese cellular internet of things modules—CIMs—which are imbedded in many devices. What is the Government’s approach to this? Are they even aware of what CIMs are?

Finally, if the Government are concerned about information being harvested by social media and other apps, why is the Data Protection and Digital Information Bill, now before the Commons, widening the circumstances in which research data can be used for commercial purposes? Is this not a typical example of this Government’s incoherence and lack of co-ordination on issues such as this?

My Lords, I welcome the welcome for the Statement made by my right honourable friend the Chancellor of the Duchy of Lancaster last week. By way of background, I should explain that the Government commissioned a review by our cybersecurity experts of the risks posed by third-party applications, including TikTok. As a result, the review concluded that we needed further security measures to protect the data.

There is obviously a limit to what I can say due to the sensitive nature of the Government’s work, but we are taking what we believe is proportionate, considered action to strengthen the security of government devices, and we are doing that in two ways. First, as is already the case in many departments—and that includes my own, the Cabinet Office—all government departments will now move to a system where only the third-party mobile apps available on their devices are those which have been pre-approved for inclusion on a departmental “allow list”.

Secondly, as a precautionary measure, all government departments are now required to take action to prohibit TikTok on their devices with immediate effect. It is a prudent, proportionate step, and more broadly, we are absolutely committed to bolstering national security, of which this is an example. As I explained to the House about 10 days ago, new guidance on the use of non-corporate communications will be issued very shortly and will bear on some of the questions that have been raised.

I was asked about TikTok on Ministers’ personal devices. The Secretary for State for Energy Security and Net Zero, who has been quoted, supports our policy and has been very clear that he has never used TikTok on his government devices. On personal devices, it is more of a personal choice. As I have explained before, all Ministers are carefully trained in security when they are appointed, and they have a briefing from time to time to keep that up to date.

To answer the question about exemptions, the business justification for having TikTok on government phones is to my mind very limited, but there are a small number of cases where it is necessary. Examples would include security and law enforcement. I know that some of my colleagues who are involved in security may need to use TikTok to make observations. Marketing would be another area—I think that the Secretary of State for Energy Security and Net Zero, Grant Shapps, comes into that category. We need to have common sense and proportionality. Departments will be able to make exemptions on a case-by-case basis through a departmental approval process, but with ministerial clearance as appropriate and risk mitigation in place.

Regarding Chinese security cameras, we have acted— we have discussed this in this House many times. We are also strengthening the powers in our Procurement Bill, and suppliers will be considered for addition to the debarment list on the basis of a rigorous and fair policy. This policy is under development, so it is too early to say, but regarding the action we have taken, we are now working with departments to make sure that Hikvision cameras are phased out.

The noble Lord, Lord Clement-Jones, talked on a more strategic level about China, about which we need to be sober and realistic. Obviously, we do not dispute the importance of China, but it has become more authoritarian at home and more assertive overseas, which is of concern to the UK—our policies need to reflect that. In the integrated review refresh, which was published last week and is well worth a read—the noble Lord referenced it—the Prime Minister set out clearly the overall direction across government for a consistent, coherent and robust approach to China, rooted in the UK’s national interest and aligned with our allies. A proper, and properly resourced, approach to security is an important part of that.

I repeat that the Prime Minister set up a new department, and the Budget included a substantial pledge—£3.5 billion by 2030—to support the Government’s ambitions to make the UK a scientific and technology superpower. This is one of the Prime Minister’s five priorities. So we should take the steps we need to take for security, but we also need to be careful to encourage the positives of new technology, whether that is AI, quantum technologies or engineering biology. We seek an important balance here.

My Lords, given the Minister’s previous professional connections with Tesco, she will have noticed that, last weekend, it announced that it will remove Hikvision cameras from its supermarkets—many of us applaud that decision. The Minister will also recall that, when the Procurement Bill left this place, it included an all-party amendment on Hikvision and surveillance cameras. Why did the Government then remove that amendment in Committee in another place? Will they support Sir Iain Duncan Smith, the former leader of the Conservative Party, in his attempts, and those of others from across the political divide in the House of Commons, to reinstate that amendment on Report? If not, does that not make everything that has been said to us in the House today contradictory?

I also ask the Minister to look at the evidence of Professor Fraser Sampson, referred to by the noble Lord, Lord Clement-Jones, which he gave to the Joint Committee on Human Rights at the beginning of this month. In answer to a question I asked, he said directly that, because of the facial recognition techniques that can be used, not just by these cameras but by many other pieces of technology, this poses a risk to personal privacy and is therefore liable to be in breach of the European Convention on Human Rights. Will the Minister please look at what was said to the Joint Committee?

My Lords, as a former executive of Tesco, obviously I was extremely interested to see this at the top of my in-tray, where other things it does often appear. On Chinese cameras, I have not seen the evidence to which the noble Lord refers, but I would be very interested to see it. But I assure him that discussions on the Procurement Bill continue in the other place, and my noble friend the Paymaster-General has been in discussions with Sir Iain Duncan Smith on this and other issues. Of course, the Procurement Bill will come back to this House in due course, and I look forward to engaging further with the noble Lord.

My Lords, I understand the Minister’s argument for proportionality with regard to this Statement. Does she have any advice for her non-ministerial colleagues in Parliament—those who sit on defence and intelligence committees—on how they should use their personal devices with TikTok?

I need to tread carefully here because, of course, security in Parliament is independent of government. So this is a matter for the parliamentary authorities. I understand the drift of the noble Lord’s question, and he can see what steps the Government have taken in relation to government devices. I am not sure I am allowed to put apps on my parliamentary device without the permission of the IT department. We stand ready to assist the parliamentary authorities if they would like us to share information on this important matter.

Further to that question, does the Minister accept that it is difficult for parliamentarians, and that it is a potentially unsatisfactory situation, if the message is essentially that it is our personal choice, but we are not—probably for very good reasons—privy to the sensitive security advice on which the Government have made their assessment? So will they encourage Parliament and the parliamentary authorities to allow a collective position to be reached on this?

I can certainly pass the concerns that have been expressed back to the security authorities in Parliament. I add that we have a Defending Democracy Taskforce, headed up by Tom Tugendhat, and the parliamentary authorities are involved in that because of the importance of sharing information, including sensitive security information, which it may not be possible to make public.

My Lords, I want to go back to the Biometrics and Surveillance Camera Commissioner, who through freedom of information requests has found out that 18 police forces across the country use external cameras that have equipment that have serious security and ethical concerns. He says that the use of such equipment by police forces needs to be seriously questioned. What action will the Government now take on a systemic approach across government to deal with those ethical and security issues, rather than just a pick-and-mix approach?

We have security and resilience frameworks which try to do just that, but obviously the police are independent, so the noble Lord’s question about the police goes beyond the areas in which I am expert today.

My Lords, I have been listening carefully to the Minister’s responses to the questions, and I am still not sure that I understand the logic for not including Ministers’ private phones in the ban, particularly as some of the security information will be common; for example, the location of the Minister concerned, and so on. If the argument is that the bit we are really worried about is that, if the security breach were on an official phone, it would include access to ministerial emails on government business, then the Minister really should have answered my noble friend’s question about whether the use of private phones for government business will be addressed in the review of the Ministerial Code. Can she do so now?

I do not have anything to say specifically on the review of the Ministerial Code; it is of course kept under review, and we now have a new ethics adviser. These sorts of matters are certainly being considered in the context of the new guidance on the use of non-corporate forms of communication, and I look forward to making a public statement on that in the not too distant future.

My Lords, the Minister said in reply to a question from my noble friend on the Front Bench that Ministers are given security advice. But that is useful only if they take notice of the advice they are given. How can we believe that they do that, when Boris Johnson, when he was Foreign Secretary, went to parties in Italy as a guest of Alexander Lebedev, and then later on promoted Alexander Lebedev’s son, Evgeny—the noble Lord, Lord Lebedev—to the House of Lords, against the advice of the security services? Surely that gives some evidence that he may well have been compromised.

I always resist commenting on individual cases. Of course, that comment does not necessarily take account of the steps we have made on briefing Ministers, including new Ministers, on security matters. The evolution of social media has been beneficial in many ways; I am sure that noble Lords use it for non-security matters, and we believe that that is perfectly all right on people’s private phones as a complement to the use of government phones for government business. We are very clear that, where people use private phones for government business because they cannot do anything else, it is important that substantive government exchanges are passed on to the private office or elsewhere, so that they are added to the public record. You have to have a balance in this system; we have to have rules which make sense and respect security but are also workable.

My Lords, I apologise for not being here at the beginning of the Statement; I was caught up with the Intelligence and Security Committee, where, of course, we have to hand our mobile phones in because we all know how dangerous mobiles are. I know from my past experience in this arena that, despite many lessons to people, people up to the level of Prime Minister make major errors in using private phones for material that they should not. Does the Minister not agree that we have to look at private phones as well as government phones to ensure that we have the right security that we ought to have? Whenever you speak on a mobile phone, you can guarantee that someone is trying to listen to it.

Those of us who have worked in the City and elsewhere know that you have to be very careful in what you say and write on phones. The point I am trying to make is that there is not necessarily always a security issue. The Statement today is about the proportionate action we have taken on TikTok and how we will manage that, and manage third-party apps, so that government use of apps is sensible and does not create security risks. I am limited in the extent to which I can share the security briefing on which these decisions are based. We think there is a balance here and that it is fine for Ministers to use their personal devices for other uses, such as their constituency work; it is important that they are able to do so in a way that conforms with the rules.

Viscount Thurso (LD): My Lords, what information, if any, has the Minister been given on what advice might be given to a reasonably intelligent citizen who has been listening to this debate as to what they should do on their own devices?

I think the choice is for them. I know the noble Viscount does not like that answer. We have brought in proportionate rules for government phones. There are many benefits to TikTok for certain groups. It obviously involves the use of people’s data, as do all the other apps we have on our phones, and some obviously are not necessarily linked to China. There is a risk/reward here; some people will continue to want to use TikTok and other apps, and I do not see why they should not be able to do so.

Lord Scriven (LD): My Lords, I want to come back to the answer that the Minister gave me. My question was not necessarily about the police; it was about the equipment that the police are using. They are using Chinese devices which have the same security risk, according to the Biometrics and Surveillance Camera Commissioner. My question is this. Across government, regardless of which public body is using this equipment that has that risk, what systematic approach are the Government taking, rather than dealing with this on a case-by-case basis?

I think two different points perhaps arise. One is about apps, and, as I have explained, we have given some central guidance and have also asked government departments to work to a list that they have to set up and on which they can consult the Government centrally. I think the noble Lord is going beyond apps into other areas involving security. I am very happy to take his point away and reflect further.