Digital ID in the UK – is it safe?

Last week, Keir Starmer announced plans to introduce Digital IDs that could be used to prove whether someone has the right to live and work in the UK. The IDs would be held in an app on a smart phone (with alternative versions proposed for those who don’t have them) and include information about residency status, name, date of birth, nationality and a photo. It will be mandatory for people who want to work and optional for people who don’t, such as students and pensioners. 

The government says that the ID will not be required in order to access healthcare or welfare payments, but in time will be used as part of processes to apply for government services and access tax records. 

Of course, UK citizens already have government-issued IDs. Many of us will have National Insurance Numbers, birth certificates, marriage or civil partnership certificates, passports and driving licences. These IDs are different from the proposed Digital ID because they are either used for very limited purposes (National Insurance Numbers) or are only provided to individuals who want them. Where they are used for identification, each identifier either specifically related to the processing purpose (eg providing your driving licence to prove you are legally able to hire a car) or one of a number of options (eg verifying your identity to open a bank account). 

Other countries using digital IDs include other democracies such as Australia, France, and Denmark – and countries that are decidedly not democracies, such as Afghanistan. The UK most recently issued government IDs during World War 2, but they were scrapped in 1952 following criticisms about the cost of the system and the way they were being used by the police. The most recent attempt to introduce ID cards in the 2000s was scrapped in 2011 following arguments that it was too costly and intrusive.

What are the risks? 

Privacy campaigners Big Brother Watch have published a report, Checkpoint Britain: The dangers of digital ID and why privacy must be protected, that sets out the following risks: 

• They may be used to enable population-level surveillance, curb liberties, predict and shape people’s decisions, or be abused to track and target marginalised groups
• They will burden law-abiding citizens and businesses, but there is little evidence to prove that they will deter illegal immigration (the stated purpose)
• There is a high risk of scope creep and the Digital ID being required for more than its stated purpose
• Such scope creep could include surveillance of every data interactions such as voting online, paying bulls and shopping
• Errors in other government IT projects such as eVisa and the Post Office Horizon scandal raise concerns about the government’s ability to manage such a large ID system to the level required
• 63% of respondents to the YouGov poll commissioned for the study said they would not trust that their digital ID would be protected ‘at all’ or ‘very much’
• It would increase digital inequality, with people with disabilities, on low incomes and the elderly most likely to suffer consequences such as reduced access to services. 

Previous UK schemes have failed at least in part due to the costs involved. Government-level identification requires an exceptionally high level of assurance and the consequences if something goes wrong can be very difficult for individuals to cope with and have lasting consequences. These datasets are also attractive targets for hackers. The combination means that the system needs to be exceptionally robust and exceptionally well protected from cyber attacks, which is expensive and time consuming. 

There are examples of successful hacks on government IDs. In 2016, the Philippine Commission on Elections was hacked a month before the elections and voter registration data relating to 55 million voters was stolen. This was reported as including unencrypted physical and email addresses, passport information, height, weight, gender, parents’ names, marital status and place of birth, as well as encoded fingerprint information. Such hacks leave affected individuals open to identity theft and opportunitistic phishing among other risks. 

In addition, there is the risk that Digital IDs will be used for more purposes than those originally envisaged when the scheme is introduced. While the current government says the IDs will only be used in limited ways, there is no guarantee that the limits will be honoured by future governments. 

High authority, common identifiers such as Digital IDs can be used to link information contained in disparate data sets, increasing the amount of information that can be known about an individual and making it easier to analyse. UK citizens are currently lucky to live in a free democracy, but political systems change. During my summer holidays, I visited the Museum of Occupation and Freedom Fights in Lithuania, which is housed in the KGB prison that was used to imprison and torture political opponents as recently as 1991. Authoritarian regimes can become democratic and vice versa remarkably quickly and data that seems innocuous today can become problematic tomorrow. 

However a country does not need to be an authoritarian regime for people to object to government surveillance. A study of 1,358 people in the UK and Israel, by Imperial College London and published in 2021, found that people who were concerned about the effect of vaccine passports on their free will were less likely to take the Covid-19 vaccine. At the time of the report, 11 per cent of eligible adults in the UK and 15% in Israel had yet to accept a first dose of the vaccine, with Dr Taya Porat of Imperial’s Dyson School of Design Engineering noting that vaccine refusals above 10% significantly impact herd immunity. While this study was specific to Covid, the findings may indicate that some people could choose not to do things such as seek work if having a Digital ID becomes a condition. 

In the UK, the NHS issued a Covid-19 app to alert people if they were exposed to someone with Covid. This was installed over 10 million times (against a total UK population of 66.7 million) and was considered a great success. However, usage fell over time and it was eventually closed in 2023. Contemporary reports indicated that individuals were concerned that using the app curtailed their freedoms as they were required to isolate if notified of exposure. 

At the time of writing, a petition demanding ‘that the UK government immediately commits to not introducing digital ID cards’ has over 2.5 million signatures, 10 times the number required to initiate a parliamentary debate.

What should the government do next? 

If the government wants to introduce digital IDs, it must build a convincing and reassuring case that the measures are a proportionate and effective response to an important issue. It must also demonstrate that such a system would be cost effective and adequately secured against all the risks. This process must include effective consultation with a wide range of interested parties, including groups that may be difficult to reach.

What action should organisations take now? 

It is too early to prepare for changes to Right to Work checks at this stage. However, debates around Digital IDs serve to highlight the importance of effective data protection and cyber security measures. 

Organisations may wish to monitor for evidence that such concerns are impacting on their own activities – for example, leading to greater numbers of data subject rights requests, privacy notice views, or reduced take up of or engagement with digital services. If this is the case, they will need to consider their own communications plan to allay any concerns. This could include reviewing privacy notices to ensure they provide the information people need in a user-friendly format and reviewing controls to ensure they continue to adequately address risks.