Security Risks Surrounding the Core System of Digital ID Technology

The British government's ambitious plan for a nationwide digital ID is facing intense scrutiny over whether the underlying systems can genuinely safeguard citizens' personal data. The core proposal would see this new digital identity made available to all UK citizens and legal residents, though it would only be mandatory for employment purposes.

While Prime Minister Sir Keir Starmer has publicly insisted the scheme "will have security at its core," full operational details remain under wraps. The system is designed to leverage two existing and developing government platforms: Gov.uk One Login and Gov.uk Wallet.

The Architecture of Concern

One Login, a unified account for accessing public services online, already boasts over 12 million sign-ups. That number is set to surge, potentially hitting 20 million by next year, as new company directors must verify their identity through the service starting November 18.

The yet-to-launch Gov.UK Wallet is envisioned as a citizen's secure mobile repository for their digital ID, holding their name, birth date, nationality, residence status, and a photo, all accessible via their One Login account. A recent trial involved launching a digital identity card for military veterans.

To mitigate security risks, the government intends to keep personal details separated, residing in individual departments rather than a single, massive centralised database. A decentralised approach, in theory, minimises the attack surface.

Red Flags from Westminster

Veteran civil liberties campaigner and Conservative MP David Davis has emerged as a forceful critic, raising significant alarm bells about potential design and execution flaws within One Login that could leave the entire digital ID scheme exposed.

Speaking in a Westminster Hall debate, Davis painted a chilling picture:

"What will happen when this system comes into effect is that the entire population's entire data will be open to malevolent actors - foreign nations, ransomware criminals, malevolent hackers, and even their own personal or political enemies."

He continued with a stark comparison that captured national attention:

"As a result, this will be worse than the Horizon [Post Office] scandal."

Davis has since pressed the spending watchdog, the National Audit Office, for an "urgent" investigation into the escalating costs of One Login, which he forecasts will certainly exceed the current £305 million budget. He also cited a 2022 incident where contractors in Romania were reportedly developing the One Login system on unsecured workstations without the necessary security clearance. Furthermore, he points out that One Login does not meet the government’s own standards for a safe and trusted identity supplier.

The government attributed the lapse of its Digital Identity and Attributes Trust Framework certification earlier this year to a supplier issue, stating they are working to restore it "imminently."

Penetration Tests and Missed Deadlines

Beyond Davis’s concerns, Liberal Democrat technology spokesman Lord Clement-Jones has questioned whether One Login adheres to National Cyber Security Centre standards. The peer disclosed conversations with a whistleblower claiming the government missed its 2025 deadline to fortify "critical" systems against cyber-attacks, a key goal of its national cyber security strategy.

While Ministers deny missing the overall deadline, the Lib Dem peer reported an official told him One Login would not pass the required security tests until March 2026.

The whistleblower also highlighted a March incident where a "red team" tasked with simulating a real-life cyber-attack was allegedly able to gain privileged access to One Login systems. The Department for Science, Innovation and Technology (DSIT) confirmed a red team exercise took place but, citing security reasons, declined to detail it, calling claims of undetected penetration "false."

Regarding the Romanian subcontractors, DSIT officials assured Lord Clement-Jones they were only "a handful of people," none of whom had access to production systems, and that "all code was checked." They also confirmed all team members working on One Login use "corporately managed" devices monitored by a security team.

Lord Clement-Jones, however, expressed a lack of confidence in the department’s assurances. He stated: "should give us all no confidence at all that the new compulsory digital ID, which will be based on them, will ensure that our personal data is safe and will meet the highest cybersecurity standards."

Political Recalibration and Public Confidence

In a move underscoring the scheme's significance, the Prime Minister recently transferred overall control of the digital ID project to the Cabinet Office, now overseen by one of his most trusted and senior ministers, Darren Jones. The Government Digital Service (part of DSIT) will maintain responsibility for design.

A DSIT spokesperson sought to reassure the public: "Gov.UK One Login continues to deliver for citizens across the UK."

The department confirmed: "One Login is now home to more than 100 services and has been used by more than 12 million people - representing almost a sixth of the UK population."

They stressed that "One Login follows the highest security standards used across government and the private sector and is fully compliant with UK data protection and privacy laws," adding that the system "undergoes regular security reviews and testing, including by independent third-parties, to ensure security remains strong and up to date."

The critical question remains: Can a digital ID system, built on foundations that have already drawn serious security and ethical questions from senior political figures, ever truly earn the unreserved public trust it requires to succeed? Do the government's reassurances outweigh the specific, documented claims of vulnerabilities and delays?

Would you like me to search for recent updates on the UK's Digital ID or One Login security audits?