A cybersecurity expert has warned that Keir Starmer’s digital ID plan could become a major hacking target, as tech firms compete for billion-pound contracts.
The prime minister stated that despite significant opposition, a mandatory digital ID would be launched by July 2029 and it will include citizens' names, dates of birth, nationalities, photos and residency status.
In a statement from the government, it said the ID would use state of the art encryption, and would be stored in a digital wallet on people's smartphones. However, according to Alan Woodward, a professor and cybersecurity specialist at the University of Surrey, "it's painting a huge target on something to say 'come and hack me'" if the data is also stored in a large database to enable cross-referencing.
Calls for more transparency have been sparked by the government's failure to disclose specifics about how it will implement the system.
Woodward's warning coincides with growing public anxiety over criminal data breaches, which last week affected a chain of daycare centers and resulted in the release of baby pictures onto the dark web, further impairing Jaguar Land Rover. There have reportedly been instances of illicit exfiltration of data, including photos, from an Estonian official identification system.
Ministers said that by making it more difficult to work illegally in the UK, the new digital ID, known as the "Britcard," would address small boat crossings. However, they added that it might be used for accessing tax data, daycare, driving licenses, and welfare applications. Leaders of the Liberal Democrats, Sinn Féin in Northern Ireland, and the SNP in Scotland, as well as civil rights activists, criticized the plan.
The government said the new digital ID will be held on people’s phones in the gov.uk wallet that is being developed to hold driving licences, “just as millions already use the NHS App or contactless mobile payments”. The scheme would draw inspiration from schemes in Australia, Estonia, India and Denmark, it said.
“Digital ID is an enormous opportunity for the UK,”
said Starmer.
“It will make it tougher to work illegally in this country, making our borders more secure. And it will also offer ordinary citizens countless benefits, like being able to prove your identity to access key services swiftly – rather than hunting around for an old utility bill.”
The government has already awarded contracts to firms including Deloitte, BAE Systems, PA Consulting, and Hinduja Global Solutions totaling £100 million to support the IT systems of the project; nevertheless, industry estimates place the overall cost of a national digital ID between £1.2 billion and £2 billion.
The UK government has also been the target of US tech companies. Palantir, which was co-founded by Trump contributor Peter Thiel and already has contracts with the NHS and the Ministry of Defense, hosted Starmer as a guest at its offices in February. Earlier this year, ministries and OpenAI signed a memorandum of understanding to investigate the use of cutting-edge AI models in public services. At a corporate function for the $4 trillion chip manufacturer Nvidia in London last week, Starmer was the honored guest on stage.
Starmer’s announcement also sparked concerns that millions of people who lack credentials or suffer from digital poverty could be excluded from public services.
“When things don’t go well it could have serious consequences, especially for those on the margins of society who could be excluded,”
said Peter Chamberlain, who developed part of the scheme’s digital architecture and is the senior director of technology at consultancy Public Digital.
“In order for this to succeed, transparency is absolutely crucial.”
The civil liberties campaign group Liberty warned that digital IDs could become “a nightmarish surveillance system”.
“Technological advancements mean that digital ID systems pose an even greater risk to privacy than they did when last proposed in the 2000s,”
it said.
“A single and unique ‘digital identity’ and centralising databases would remove much of the individual’s agency in managing their data. This information could be used to profile individuals across multiple datasets and would pose particular risks to marginalised communities.”
Kemi Badenoch, the leader of the Conservative Party, declared that her party would fight any attempt by the government "to impose mandatory ID cards on law-abiding citizens." The Liberal Democrats' leader, Ed Davey, referred to the proposal as "nonsensical" and stated that the party would "fight against it tooth and nail."
"By calling it BritCard, the prime minister seems to be trying to force every Scot to declare ourselves British,"
said SNP Scottish First Minister John Swinney, who also called the mandatory ID a violation of everyday life.
Both Sinn Féin and the DUP opposed the plan in Northern Ireland; Michelle O'Neill, the first minister of Sinn Féin, described it as an "attack" on the Good Friday pact.
What technical safeguards would lessen the risk of hacking for a national digital ID?
Require multifactor authentication (MFA), which requires the use of a password plus an additional factor (biometric token, one-time code). This provides a significant reduction in unauthorized access.
An encryption policy protecting all sensitive personal data, at rest and in transit to avoid unauthorized interception or access. Conduct all access and security assessments, including vulnerability reviews, pen testing, with repeating frequency, to identify and remediate security vulnerabilities before their exploitation.
Restrict access to your institution's information and systems to your institution's authorized personnel exclusively.
Deploy real-time threat detection and monitoring systems that allow security to detect suspicious activity quickly, and respond to events in real-time.