The UK government has announced plans for a digital ID wallet, enabling British citizens to store all government-issued documents on a single location on their smartphones.
However, security experts have raised significant security and privacy concerns around storing so many sensitive documents in a single location.
The new ID wallet is designed to increase the security and convenience of using identification documents for everyday purposes such as proving age and claiming benefits, according to the government.
GOV.UK Wallet will launch in Summer 2025 and will initially store Veteran Cards and Driving Licenses. It will then be rolled out to all forms of identification by the end of 2027.
The digital wallet is optional, with traditional physical documents remaining available.
GOV.UK Wallet will be released alongside a GOV.UK App, which is designed to make it simpler for people to navigate the gov.uk website, access government information and complete essential tasks from their phone.
New Digital ID Raises Security Questions
The UK Department for Science, Innovation and Technology (DSIT) emphasized the security benefits of using the GOV.UK Wallet compared to physical documentation in its announcement.
DSIT highlighted the security of biometric protections built into modern smart phones, including facial recognition checks similar to those used when people pay using a digital bank card.
Additionally, the GOV.UK Wallet will be underpinned by the verification methods of GOV.UK One Login, including single sign on. GOV.UK One Login is available for central government services who need to sign in users or check their identity.
These protections will ensure government documents can only be accessed by the right person, even if the device is lost or stolen, DSIT said.
However, experts Infosecurity spoke to highlighted the security risks of holding vast volumes of personal information in a single place. They noted a single breach could have a devastating impact. This is likely to make the Wallet a major target for malicious actors.
Chris Linnell, Associate Director – Data Privacy at Bridewell, noted: “If a centralized digital ID system were compromised, it wouldn’t just result in leaked phone numbers or email addresses. A major breach would likely expose complete identities, leading to identity theft, fraud, and lasting harm to victims’ financial and personal lives.”
Previous security incidents have demonstrated that features like facial recognition and single sign-on are not infallible.
Nick France, CTO at cybersecurity firm Sectigo, said that digital identities will be subject to the same security challenges as current online identities, which face constant attack from scammers, hackers and malware.
This threat has been exacerbated by developments in AI technology, such as deepfakes. For example, threat actors have created malware to steal facial biometric data and use this information to produce deepfakes of victims which can bypass banking logins.
“We already see that scammers can take thousands of pounds from bank accounts when people are socially-engineered to login and transfer funds or to provide passwords and PINs to online bank accounts,” France observed.
“If trusted digital identities like driver’s licenses and passports are subject to the same kind of attacks, the results could be worse and more long-lasting,” he added.
Privacy and Surveillance Risks with Digital IDs
The digital ID concept also has the potential to become an avenue for privacy abuse and government overreach, if sufficient safeguards are not put in place.
Linnell noted that every use of the GOV.UK Wallet will likely leave behind a “digital trail,” with user’s metadata such as the time, location and device used logged. This would create a detailed record of an individual’s movement and activities over time.
“Unlike showing a physical ID, which often leaves no trace, this approach could enable invasive surveillance, which may give the government or other entities access to information about individuals’ daily life,” Linnell said.
Mike Britton, CIO at Abnormal Security, noted that these issues come amid a period of broader concerns about public trust levels in governments.
“Many citizens may feel uneasy about the potential for digital IDs to link and monitor transactions. While the government has emphasized that adoption will be voluntary and privacy features like hiding addresses will be available, scepticism is likely to persist,” commented Britton.
Transparency Key to Building Trust with Digital IDs
Experts believe the government must establish robust security protocols and provide full transparency over how their information is processed and secured through this service.
In addition to the security protections already highlighted by the government, Jamie Akhtar, CEO and Co-founder of CyberSmart, said that implementing multi-factor authentication beyond facial recognition would provide a crucial additional safety net for users.
Akhtar added that using end-to-end encryption for document storage and transmission is also vital to ensure that data remains protected both at rest and in transit.
Additionally, with cybercriminals likely to exploit social engineering opportunities with the digital ID, it is important that the government provides education for users on the techniques used by malicious actors and how to detect them.
There are a range of approaches that can be taken to alleviate privacy concerns with the GOV.UK Wallet.
Mayur Upadhyaya, CEO at APIContext, emphasized the importance of following the principle of “data minimization,” ensuring the Wallet only stores essential information.
He added that granular user consent controls can provide individuals full visibility and control over how their data is shared, ensuring compliance with GDPR.
“Transparency in how data is processed and secured will play a pivotal role in building public trust,” Upadhyaya commented.
Several cybersecurity experts said the UK government should draw lessons from the successes of Estonia’s e-Residency digital ID program, launched in 2014. This program has focused on principles like transparency, strong encryption protocols and user trust, including secure digital signing.
Conversely, Akhtar highlighted that India’s Aadhaar system was introduced in 2009 without sufficient privacy controls, leading to excessive data collection and leaks.
