Concerns raised over UK digital ID security plans

The UK government's plans for a national Digital ID system are facing intense scrutiny amid concerns over whether the underlying technology can securely protect the personal data of British citizens. The proposed system, which will be available to all citizens and legal residents but only mandatory for employment, is built on two government-built systems: GOV.UK One Login and the upcoming GOV.UK Wallet. The Wallet, which would allow users to store their digital ID on their smartphones, requires a One Login account for access.

Despite Prime Minister Sir Keir Starmer's insistence that the system will have security at its core, the veteran civil liberties campaigner and Conservative MP, David Davis, has raised concerns about the design and implementation of GOV.UK One Login. He argued that potential flaws could leave the entire population's data vulnerable to hackers, foreign nations, and criminals, warning that the consequences could be worse than the Horizon Post Office scandal. 

Davis highlighted a 2022 incident in which Romanian subcontractors reportedly developed the One Login system on unsecured workstations without the required security clearance. In addition, Davis highlights that One Login currently does not meet the government's own requirements for a safe and trusted identity supplier, a lapse the government blamed on a supplier and is working to restore "imminently."

Separately, Liberal Democrat technology spokesman for the digital economy Lord Clement-Jones has also questioned the system's security, claiming that a whistleblower has indicated the government missed the 2025 deadline for hardening "critical" systems against cyberattacks. He also reported a "red team" incident from March in which a real-life attack simulation gained privileged access to One Login systems. The Department for Science, Innovation and Technology (DSIT) denied the claims and defended its security measures, stating that Romanian subcontractors did not have access to production systems. Despite this, Lord Clement-Jones notes that the government's track record gives him no confidence that the new compulsory digital ID will meet the highest cybersecurity standards.

Training Announcement: The IAPP Certified Information Privacy Technologist (CIPT) is a privacy-focused professional IT certificate from the IAPP that addresses data protection requirements and controls within complex technological environments. It explores the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, and the role of privacy-enhancing technologies within the organisation. Find out more.