UK Digital Identity: The Brit Card U-Turn That Wasn't

2. January 2026 update: the U-Turn that wasn't

On 16 January 2026, the government announced it would no longer pursue mandatory smartphone-based digital ID. The petition against BritCard had gathered 2,967,089 signatures—the fourth-largest in UK Parliament petition history—and ministers framed the retreat as listening to public concern. [60]

Yet the announcement concealed as much as it revealed. What was dropped: the 2029 target for compulsory Right to Work checks and the explicit "Brit Card" branding. What continues: the underlying infrastructure, the contractor ecosystem, and the gradual normalization of government-issued digital credentials across housing, employment, and benefits.

What was actually dropped

• Mandatory employment checks: The commitment to require Brit Card verification for all Right to Work checks by 2029 has been removed from official guidance.
• The "Brit Card" name: Ministers have quietly retired the term, reverting to "GOV.UK digital identity" or "digital verification services" in all communications.
• Timeline pressure: The aggressive 2026-2029 rollout schedule is now described as "flexible" pending further consultation.

What continues unchanged

• GOV.UK One Login: Now serves over 11 million users across 130+ government services. User growth continues at approximately 500,000 per month with no slowdown following the announcement. [61]
• Digital Verification Service (DVS): The infrastructure enabling private-sector attribute queries remains in development. Regulations expected Q2 2026.
• Right to Rent/Work digital systems: The Home Office online checking services continue operating exactly as before. The only change is that Brit Card won't become the sole verification method.
• GOV.UK Wallet development: The mobile app framework that would have hosted Brit Card credentials continues development for "optional" identity features, including mobile driving licences.

Following the money: contractor ecosystem

Despite the headline "U-turn," identity-verification contracts awarded in 2024-25 remain in force. FOI disclosures and contract notices reveal the scale of committed spending: [62, 63]

• Deloitte: £70-77 million for One Login delivery and support (2022-2027)
• PA Consulting: £44 million for digital identity programme management
• iProov: £17.5 million for biometric liveness detection (the selfie-matching technology used during identity proofing)
• Additional suppliers: Onfido, Yoti, and other certified identity providers retain framework agreements worth tens of millions collectively

None of these contracts have been cancelled or reduced. The infrastructure continues to be built; only the mandatory front door has been removed.

The "voluntary" pathway

Ministers now describe digital ID as "voluntary," yet the incentive structures remain: faster benefits processing, streamlined HMRC interactions, instant Right to Work verification for employers. Government services are increasingly designed with digital-first journeys that make offline alternatives slower and less accessible.

Civil liberties groups warn this creates "coercion by design"—a system where technically-optional credentials become practically necessary for full participation in economic life. Big Brother Watch notes that India's Aadhaar system followed a similar trajectory: initially voluntary, then required for bank accounts, then for rations, then for mobile phones. [64]

Security record under scrutiny

The announcement coincided with renewed scrutiny of contractor security practices:

• December 2025: A Cabinet Office review found that two identity verification contractors had failed to meet required security standards for handling biometric data. The contractors were not named but remain on the approved supplier list.
• January 2026: Security researchers disclosed that One Login's activity logging captured more IP address and device fingerprint data than the privacy notice specified. GDS issued a corrected privacy notice but did not delete previously-collected data.

Tony Blair Institute connection

The original "Brit Card" concept emerged from the Tony Blair Institute's 2023 New National Purpose review, co-authored with William Hague. The Institute continues to advocate for digital identity infrastructure, now framing it as "foundational technology for AI-era public services." [32]

Critics note the revolving door between TBI alumni and government digital policy roles. The Institute's recommendations consistently favour centralised identity systems regardless of party, and its papers downplay surveillance risks in favour of efficiency arguments.

International precedent

The UK "U-turn" mirrors patterns elsewhere. Australia abandoned its "Australia Card" in 1987 following public backlash, then reintroduced equivalent functionality piecemeal through MyGovID (now 13 million users). Germany dropped national ID card biometric mandates after GDPR concerns, then expanded voluntary digital ID take-up through incentives.

The lesson: politically-toxic mandatory schemes get rebadged as voluntary systems, then achieve near-universal adoption through service design that penalizes non-users.

What "winning" looks like

The petition achieved a genuine policy shift: mandatory Brit Card is off the immediate agenda. But privacy advocates argue the victory is partial:

• The underlying infrastructure continues to grow
• No contracts have been cancelled
• No statutory privacy protections have been added
• The Digital Verification Service proceeds on schedule
• "Voluntary" adoption is incentivised through service design

The next six months will reveal whether the U-turn represents a genuine rethink or a tactical pause before rebranding.

3. The UK's digital identity journey: from ID Cards Act to One Login

The ID Cards Act 2006: Britain's surveillance database

The Identity Cards Act 2006, introduced by Tony Blair's Labour government, mandated biometric national ID cards linked to a National Identity Register (NIR) storing fingerprints, facial images, iris scans, and 50+ data points per individual. The scheme aimed to combat terrorism, immigration fraud, and identity theft. [1]

Civil liberties opposition: NO2ID, Liberty, and the Information Commissioner's Office (ICO) argued the NIR was a "surveillance infrastructure" incompatible with British civil liberties. Concerns included:

• Function creep: Initially limited to passport/ID card issuance, the NIR could be expanded to track citizens across all government services, healthcare, and commercial transactions.
• Biometric data risks: Centralizing fingerprints and iris scans created a high-value breach target. Unlike passwords, biometrics cannot be changed if compromised.
• Erosion of anonymity: Linking NIR numbers to all transactions would end anonymous interaction with government, enabling comprehensive profiling. [4, 10]

Repeal (2010): The Conservative-Liberal Democrat coalition repealed the Act via the Identity Documents Act 2010, destroying ~15,000 issued cards and the NIR. Then-Home Secretary Theresa May called the ID card scheme "intrusive bullying by the state." [2]

The "Brit Card" vision and trust framework roadmap

In 2023, the Tony Blair Institute and former Foreign Secretary William Hague jointly proposed a universal digital ID, dubbed the "Brit Card," as part of their New National Purpose review. The plan imagines a citizen wallet consolidating NHS numbers, voting status, immigration records, and tax history, with optional private-sector hooks for banking, age checks, and travel. [32]

Successive governments have positioned the Digital Identity and Attributes Trust Framework (alpha 2021, beta 2023) as the governance layer needed to make a Brit Card lawful. The framework certifies "attribute providers" who can vouch for specific data points across public and private sectors, while the Data Protection and Digital Information Bill (No. 2) would create a Digital Verification Service (DVS) inside government to broker those attributes. [33, 34]

Privacy regulators and campaigners argue that a DVS plus a Brit Card-style wallet could normalize routine cross-department data matching unless Parliament legislates strict guardrails. The Information Commissioner's Office warned MPs that the Bill lacks explicit limits on re-use of verified attributes, and civil liberties groups see the proposals as ID cards by stealth without transparency, independent oversight, and user-facing audit trails. [35, 36]

• Persistent identifiers: Draft regulations allow attribute providers to generate stable identifiers for each user, raising linkability risks if the same token is reused across welfare, housing, and private-sector checks. [34, 35]
• Private-sector onboarding: Certified banks, employers, and rental platforms would be able to query government-backed attributes via the DVS, expanding surveillance beyond the state. [33]
• Safeguards under debate: Campaigners demand mandatory logging that citizens can inspect, purpose limitation clauses, and statutory deletion timelines before any Brit Card pilot proceeds. [35, 36]

Brit Card (2025–2029 rollout plans)

On 25 September 2025, Prime Minister Keir Starmer announced plans for a free, smartphone-held national digital ID credential, quickly dubbed the "Brit Card," that would be issued to all residents aged 16+ via a new GOV.UK Wallet application. The scheme is framed as a tool to modernize access to state services and crack down on illegal working, with ministers committing to make Brit Card verification compulsory for Right to Work checks by the end of the current Parliament and exploring extensions to Right to Rent. [37–39]

Official communications emphasize that Brit Card will build directly on the existing One Login identity proofing pipeline while storing digitally signed credentials on users' devices rather than creating a single central database. The government promises bank-grade encryption, optional selective disclosure (e.g., sharing an 18+ proof without a full birth date), and National Cyber Security Centre oversight. Critics note that even without a monolithic register, mandatory checks will generate extensive audit logs linking individuals, employers, and landlords, effectively expanding the state's visibility into daily life. [37–40]

Ministers outline a GOV.UK Wallet experience in which residents scan passports or driving licences, complete the familiar One Login selfie liveness check, and then download QR-style credentials that employers, landlords, or banks validate through a companion verifier app. Earlier think-tank proposals, most notably from the Tony Blair Institute and allied Labour policy groups, framed a “Brit Card” as a Windrush safeguard that would let migrants evidence status instantly; civil liberties groups counter that linking identity, immigration records, and employment data risks entrenching the hostile environment. [32, 39, 41, 42]

The rollout roadmap foresees limited pilots in 2026 (e.g., veterans and selected public-sector workers), wider onboarding through GOV.UK Wallet integrations with mobile driving licences and immigration status, and incentives for private-sector acceptance by 2029. Early reaction included the UK's fastest-growing petition of 2025 (surpassing 2.8 million signatures within weeks) and immediate calls from Big Brother Watch, Liberty, and cross-party MPs to halt or radically redraft the proposals before legislation is tabled. [38–42]

UK digital identity timeline (2006-2029)

GOV.UK Verify: the federated failure (2016-2023)

Post-ID card repeal, the UK pursued a federated approach through GOV.UK Verify, launched in 2016. Users chose from certified private identity providers (Post Office, Experian, Barclays, Digidentity) to verify their identity for government services. The government did not store identity data; providers verified users and passed authentication tokens. [11]

Why Verify failed:

• Low adoption: Only 5 million users (8% of eligible population) by 2023. Verification process was cumbersome, requiring document scans, biometric selfies, and credit file checks.
• Exclusion: Individuals without UK credit history, stable addresses, or digital literacy were locked out.
• Privacy paradox: While avoiding central government databases, Verify required sharing data with commercial companies (credit agencies, telecoms). Privacy International noted this created "surveillance by outsourcing." [6, 12]

Verify was retired in April 2023, with users migrated to One Login.

GOV.UK One Login: centralisation redux (2021-present)

Launched in 2021, GOV.UK One Login shifts from federation to centralisation. Users create a single government account with credentials stored by the Government Digital Service (GDS). As of October 2025, One Login serves 20 million users across 120+ services. [5]

Key difference from ID Cards Act: One Login avoids biometric storage (no fingerprints or iris scans) and is nominally voluntary. However, accessing essential services (tax filing, benefits, driving licence) increasingly requires it, making opting out impractical.

4. GOV.UK One Login: technical architecture deep-dive

System architecture

One Login is an OpenID Connect (OIDC) identity provider built on AWS infrastructure. Users create an account with email/phone, password, and two-factor authentication (SMS or authenticator app). The system stores: [13]

• Core identity: Name, date of birth, address, email, phone
• Verification documents: Driving licence, passport (uploaded for identity proofing)
• Biometric check data: Short-lived selfie capture or video for liveness detection, compared to document photos during verification
• Activity logs: Services accessed, timestamps, IP addresses
• Authentication metadata: Device fingerprints, session tokens

Identity proofing levels

One Login implements UK government identity proofing levels (GPG 45 standard): [14]

1. Level 1 (Low confidence): Email/phone verification only. Sufficient for low-risk services (e.g., subscribing to newsletters).
2. Level 2 (Medium confidence): Document upload (driving licence or passport) + liveness check (selfie). Used for most government services (tax filing, DVLA).
3. Level 3 (High confidence): Document upload + liveness check + knowledge-based verification (KBV) questions drawn from credit files. Reserved for high-risk services (state pension claims, immigration applications).

Data flows and storage

User data is stored in AWS UK regions (London, Manchester) with encryption at rest (AES-256) and in transit (TLS 1.3). Data retention: [15]

• Identity documents: Retained for 90 days after verification, then deleted. However, verification result (pass/fail, identity attributes) is retained indefinitely.
• Liveness captures: Selfie videos used for biometric comparison are purged after verification, with only pass/fail metadata retained.
• Activity logs: 7 years (aligned with HMRC record-keeping requirements).
• Account data: Retained until user deletes account. Unused accounts auto-deleted after 2 years of inactivity.

Cross-service data sharing

One Login enables cross-service data sharing within government via APIs. When a user accesses HMRC (tax) or DWP (benefits), the service queries One Login for identity attributes (name, DOB, address). This creates a comprehensive log of which services a user accesses and when, enabling profiling of citizens' interactions with the state. [16]

Privacy risk: While One Login does not create a single central database like the NIR, the cross-service query logs achieve a similar effect: the government can track who accesses which services, correlating tax, benefits, healthcare, and driving records.

Security incidents and breach history

No major breaches reported as of October 2025. However, GDS has faced scrutiny for:

• 2023 phishing campaign: Scammers sent fake One Login emails requesting document uploads. GDS implemented DMARC email authentication to prevent spoofing. [17]
• 2024 session hijacking vulnerability: Security researcher disclosed session token fixation vulnerability (CVE-2024-3849); patched within 48 hours. [18]

5. Right to Rent and Right to Work: case studies in digital surveillance

While One Login is nominally voluntary, sectoral digital verification mandates create de facto ID requirements for accessing housing and employment.

Right to Rent: landlord immigration checks

Introduced in 2016, the Right to Rent scheme requires landlords to verify tenants' immigration status before renting property. Landlords face civil penalties (£3,000 per illegal tenant) and criminal prosecution (up to 5 years imprisonment) for non-compliance. [7]

Digital verification process: Landlords use the Home Office Online Right to Rent Service to check immigration status via biometric residence permit (BRP) numbers or share codes generated by the EU Settlement Scheme app. This creates a database of:

• Who checked whose immigration status (landlord identity + tenant identity)
• Housing application dates and addresses
• Immigration status (visa type, expiry date, work/study restrictions)

Case study: "Hostile environment" discrimination

A 2018 Joint Council for the Welfare of Immigrants (JCWI) study found that 51% of landlords discriminated against non-UK nationals due to Right to Rent fears. Landlords avoid renting to anyone without a British passport, even when legally eligible (e.g., EU citizens with settled status). [8, 19]

Legal challenges: In 2019, the High Court ruled Right to Rent causes unlawful discrimination (indirect racial discrimination under Equality Act 2010). The Court of Appeal overturned this in 2020, but discrimination persists. Liberty and JCWI argue the scheme creates "two-tier access" to housing based on perceived immigration status. [20]

Right to Work: employer immigration checks

Similarly, employers must verify employees' right to work in the UK before hiring. Digital checks use the Home Office Employer Checking Service (share codes or BRP numbers). Employers failing to comply face civil penalties (£20,000 per illegal worker) and criminal prosecution. [9]

Surveillance infrastructure: The Home Office retains logs of all Right to Work checks, creating an employment application database. In 2022, Freedom of Information requests revealed the Home Office had conducted 15 million Right to Work checks, tracking where foreign nationals apply for jobs. [21]

Case study: Windrush scandal and wrongful denials

The 2018 Windrush scandal exposed how digital verification systems exclude legal residents lacking documentation. Caribbean immigrants who arrived pre-1973 (Windrush generation) lacked biometric documents; Right to Work/Rent systems flagged them as "no immigration status found." Result: wrongful job loss, evictions, and deportations. [22]

Lessons: Digital verification systems assume all legal residents have digital records. Those without such records, including elderly immigrants, refugees, and digitally excluded populations, are locked out of housing and employment. When systems flag "no status found," the burden falls on the individual to prove a negative.

Cumulative surveillance effects

Combining One Login, Right to Rent, and Right to Work creates comprehensive surveillance:

• Housing: Home Office tracks where foreign nationals live via Right to Rent checks
• Employment: Home Office tracks where they work via Right to Work checks
• Government services: One Login tracks which services they access (benefits, healthcare, tax)

These systems collectively enable the Home Office to build comprehensive profiles of foreign nationals' lives, movements, and circumstances, despite the UK's rejection of a central ID database.

Historical warning signs

Identity systems can be turned against the people they catalogue. During the Nazi occupation, Dutch municipal population registers, admired for their precision, were seized and used to identify and deport roughly three-quarters of the Netherlands’ Jewish population. [43]

Vichy France attempted similar persecution, yet the state’s fragmented records, uneven local cooperation, and the absence of a universal personal register meant authorities could not locate every Jewish resident. Historians credit that bureaucratic friction with limiting deportations compared with the Netherlands. [44]

The contrast illustrates why privacy advocates view comprehensive, linkable identity logs as an existential risk if democratic guardrails fail.

6. Privacy implications and surveillance concerns

Data concentration risks

One Login centralises 20 million user profiles within GDS systems. A breach could expose:

• Comprehensive identity data (name, DOB, address, documents)
• Service access patterns (tax, benefits, healthcare usage)
• Financial data (HMRC integrates salary, income, tax records)
• Immigration status (for users who accessed visa/settlement services)

While One Login avoids biometric storage (reducing risk vs. ID Cards Act), the cross-service activity logs enable comparable surveillance.

Cross-service correlation and profiling

One Login's API queries create a real-time map of citizen-state interactions. Example profiling scenarios:

• Benefit fraud detection: User claims unemployment benefits (DWP) while HMRC shows active PAYE income → automated fraud alert
• Tax evasion detection: User lives in high-value property (council tax data) but declares low income (HMRC) → audit trigger
• Immigration enforcement: User's visa expires (Home Office data) → automated alerts to DWP (benefits), DVLA (driving), NHS (healthcare) to deny services

While some use cases (fraud detection) are legitimate, the infrastructure enables mission creep: using One Login for purposes beyond its original scope (e.g., political profiling, protest surveillance). [23]

The Brit Card roadmap intensifies these risks by hardwiring identity checks into employment and potentially housing, ensuring that every verification generates a government-held audit trail. Petition briefings confirm the Home Office intends to use Brit Card analytics to pinpoint employers that fail to run checks, while the Prime Minister's Office touts richer intelligence on immigration enforcement as a core benefit. [37–39]

Privacy advocates counter that ubiquitous, mandatory logging reconstructs the centralised oversight that ministers claim to avoid. Big Brother Watch labels the design a "domestic mass surveillance infrastructure," warning that cross-department reuse of Brit Card telemetry could normalize identity checkpoints for ordinary life. [40, 41]

Function creep: from authentication to tracking

One Login's 2021 launch promised "simple, secure access to government services." By 2025, scope has expanded to:

• Local councils integrating One Login for housing, parking, waste services
• NHS trusts piloting One Login for appointment booking, prescription ordering
• Police consideration of One Login for online crime reporting (creates database of who reports what crimes)

Each integration expands the government's surveillance footprint. Big Brother Watch warns this mirrors the ID Cards Act function creep concerns: "What starts as convenience ends as comprehensive tracking." [24]

Legislative guardrails still unsettled

The Data Protection and Digital Information Bill would empower the Secretary of State to designate the Digital Verification Service as controller for identity attributes, authorizing both government departments and certified private firms to query the same record sets. [34]

The Information Commissioner's Office told the Bill Committee that the framework does not require pseudonymous identifiers by default, nor does it mandate user-facing audit logs comparable to Estonia's model. Regulators urged ministers to bake purpose limitation and deletion duties into secondary legislation before rollout. [35]

Civil liberties groups warn that combining One Login's transaction logs with the DVS' attribute brokering would create a longitudinal view of every identity check, from opening bank accounts to renting flats, unless Parliament sets hard limits. Big Brother Watch argues the Brit Card blueprint normalizes "identity checkpoints" in everyday life without statutory red lines on reuse. [36]

Exclusion and coercion

While One Login is "voluntary," accessing essential services increasingly requires it. Users without smartphones, internet access, or digital literacy face exclusion. The Government Digital Service estimates 10 million UK adults (20% of population) lack digital skills to use One Login independently. [25]

For digital-excluded populations (elderly, low-income, disabled), "voluntary" becomes coercive: use One Login or forgo essential services.

Economic impact and compliance costs

The cost of digital ID compliance creates market distortions that favor large platforms while forcing small publishers and community sites to geo-block UK users or shut down entirely.

Market impact: Between July and October 2025 (following Online Safety Act age verification enforcement), at least 127 UK-based small forums, hobby sites, and independent publishers geo-blocked UK users rather than pay compliance costs. [52] Examples include:

• The Hamster Forum (18-year-old pet care community, 23K users) shut down entirely [53]
• 47 UK independent game developers on Itch.io had entire catalogues geo-blocked when a single mature-rated game triggered platform-wide age gates [54]
• Reddit blocked access to 340+ UK subreddits (including r/StopSmoking, r/MenstrualCups) due to over-cautious age filtering [55]

This pattern mirrors the trajectory predicted by civil liberties groups: compliance infrastructure becomes a fixed cost that only large, well-resourced platforms can afford, consolidating the internet around a handful of gatekeepers while marginal voices disappear.

7. Private sector disruption and commercial surveillance risks

Certified vendors under the UK trust framework

The Department for Science, Innovation and Technology’s trust framework currently lists private providers, including Yoti, Post Office EasyID, Onfido, Digidentity, Experian, and LexisNexis Risk Solutions, as certified identity service providers delivering GPG 45 assurance to banks, DBS background checks, telecom onboarding, and adult-content age verification. [33, 56]

• Revenue model: Providers charge per verification (typically £1–£5 for low assurance; £5–£12 for higher assurance) or recurring enterprise subscriptions, costs that scale sharply for SMEs complying with Online Safety Act age checks. [45, 46]
• Data sources: Many vendors augment government documents with credit agency files, mobile network records, and biometric templates, mirroring the GOV.UK Verify ecosystem Privacy International critiqued as “surveillance by outsourcing.” [12]
• Market footprint: Open Identity Exchange estimates UK private-sector digital identity revenues surpassed £900 million in 2024, with KYC/AML transactions for finance and gig-economy hiring supplying the bulk of demand. [57]

Brit Card and the Digital Verification Service threaten disintermediation

The Digital Verification Service (DVS) outlined by DSIT would let government store, broker, and share verified attributes, including right to work and immigration status, directly with both public and private relying parties. [33] If Brit Card wallets expose the same attributes, ministries could bypass the current roster of certified vendors, turning today’s competitive market into a thin layer of wallet UX on top of state-run APIs.

Private providers warn that subsidised, central government verification could undercut commercial pricing and collapse investment in new privacy-preserving ID technologies. Open Identity Exchange argues that without safeguards, “government will become the primary identity provider and crowd out private innovation,” calling for interoperability guarantees, independent pricing oversight, and the continued ability for businesses to choose alternative identity proofing partners. [57]

The DVS factsheet promises that certified companies can become “attribute providers” plugging into Brit Card wallets, yet it offers no transition plan for vendors whose business model depends on charge-per-check revenue with employers, insurers, or gaming platforms. [33, 56]

Commercial surveillance vectors

Consolidating identity attributes into a reusable Brit Card token creates powerful new data flows for the private sector. Privacy International notes that identity brokers already combine credit histories, behavioural scores, and biometric data to power marketing, insurance, and employment decisions. [12]

• Insurance and credit underwriting: A single, government-backed identifier could let insurers or lenders query verified income, residency, or immigration attributes without the user’s knowledge, enabling risk scoring reminiscent of state-corporate social credit experiments in China. [35, 58]
• Employment blacklists: Employers already retain right-to-work logs; linking them with Brit Card identifiers could allow sector-wide sharing of “failed check” registries, entrenching exclusion long after an issue is resolved. [21, 35]
• Advertising and data brokerage: Attribute providers might monetise anonymised-but-linkable verification logs, creating fresh profiling markets unless secondary use is legally banned. [12, 35]

Industry asks for the Brit Card rollout

Industry consortia (Open Identity Exchange, techUK’s Digital Identity Working Group) are lobbying for three guardrails: statutory interoperability (Brit Card wallets must accept third-party credentials), a level playing field on pricing, and purpose limitation that prevents insurers, credit reference agencies, or employers from reusing Brit Card attributes without explicit user consent. [57]

Without these safeguards, the Brit Card could dissolve much of the UK’s private-sector identity ecosystem while simultaneously giving remaining firms a state-sanctioned identifier to deepen commercial surveillance.

8. Civil liberties analysis: Liberty and Big Brother Watch positions

Liberty: "Surveillance by another name"

Liberty (UK's civil liberties watchdog) argues One Login and sectoral verification schemes replicate the ID Cards Act's surveillance infrastructure through the "back door": [26]

• Fragmentation obscures surveillance: By avoiding a single "national ID," the UK evades public scrutiny while achieving equivalent surveillance through multiple systems (One Login, Right to Rent, Right to Work).
• Discrimination: Right to Rent creates racial discrimination; Liberty's 2019 High Court challenge proved this but was overturned on appeal due to Home Office "national security" claims.
• Lack of oversight: No independent body audits One Login or Right to Rent/Work databases. ICO (data protection regulator) has limited enforcement powers against Home Office.

Liberty's demands:

1. Abolish Right to Rent (end landlord immigration checks)
2. Independent oversight of One Login with public transparency reports
3. Legal prohibition on cross-service data sharing without user consent
4. Digital exclusion safeguards (offline alternatives for all services)

Liberty's response to the 2025 Brit Card announcement reiterated that ministers lack a democratic mandate for mandatory digital ID, urged MPs to reject any legislation that compels workers to present state credentials, and called for a wholesale reset to an opt-in, privacy-preserving model. The group drew parallels to historic ID card defeats, warning that public trust, already strained by Windrush, will further erode if employment becomes contingent on handing over GOV.UK wallet data. [39, 42]

Big Brother Watch: "One Login to Rule Them All"

Big Brother Watch's 2023 report "One Login to Rule Them All" warned that One Login is the ID Cards Act "rebranded": [24]

• Centralisation risk: One Login creates a single point of failure. A breach or system outage locks citizens out of tax, benefits, healthcare, and driving services simultaneously.
• Mission creep: Each service integration expands surveillance capabilities. BBW predicts One Login will eventually be required for banking (AML compliance), healthcare (NHS records), and commercial services (age verification for adult content under Online Safety Act).
• Political control: Future governments could weaponize One Login (e.g., suspending accounts of political dissidents, protesters, or benefit claimants) to deny service access.

Big Brother Watch's recommendations:

1. Cap One Login integrations at current level (prevent expansion to NHS, police, local councils)
2. Statutory data minimization requirements (delete documents after verification)
3. User-controlled data sharing (explicit consent for each cross-service query)
4. Regular independent security audits with public disclosure

Following Starmer's 2025 speech, Big Brother Watch launched the #NoDigitalID campaign, highlighting leaked policy papers that envision Brit Card credentials for everyday purchases and even minors. Director Silkie Carlo cautioned that "user control becomes meaningless when identity is demanded to earn a living," and urged MPs to "shut down" the scheme before it entrenches a checkpoint society. [40, 41]

Privacy International: corporate data broker concerns

Privacy International highlights that One Login's identity proofing relies on corporate data brokers (Experian for credit file KBV questions). This creates: [12]

• Commercial surveillance: Credit agencies profit from government identity verification, incentivizing data collection expansion
• Exclusion: Thin-file individuals (no credit history) cannot pass Level 3 verification, excluding migrants, students, and low-income populations
• Data sharing: Government outsourcing to Experian/Equifax creates pathways for government data to leak into commercial profiling

9. International comparisons: UK vs EU eIDAS 2.0 and others

Comparison table: UK vs global digital ID systems

EU eIDAS 2.0: privacy by design

The EU's revised eIDAS regulation (2024) mandates member states offer a European Digital Identity Wallet, a user-controlled credential stored on smartphones. Key privacy features: [27]

• Selective disclosure: Users prove specific attributes (e.g., over 18) without revealing underlying data (exact age, DOB)
• Offline verification: Credentials verified via cryptographic signatures; no central database queries
• User control: Users choose which attributes to share with whom; audit logs show all disclosures

Contrast to UK: eIDAS Wallets avoid central surveillance; EU citizens control their data. UK's One Login centralises data and enables cross-service tracking.

Estonia e-ID: distributed architecture

Estonia's e-ID system (98% population adoption) uses X-Road, a distributed data exchange layer. Services query only the specific attributes they need (e.g., tax office queries income; healthcare queries medical history). Users can view audit logs showing who accessed their data and when. [28]

Privacy protections: No central database; data stays with originating services (tax data at tax office, health data at hospitals). X-Road logs all queries; unauthorized access triggers alerts.

India Aadhaar: cautionary tale

India's Aadhaar system (1.3 billion enrollments) centralised biometrics (fingerprints, iris scans) for 90% of the population. Result: [29]

• Breaches: 1.1 billion Aadhaar records leaked in 2018; sold on dark web for $6
• Exclusion: Biometric failures (damaged fingerprints, cataracts) lock out elderly/manual laborers from benefits
• Surveillance: Government tracks benefit claims, banking, mobile SIM cards via Aadhaar; used for political profiling

Lesson for UK: Centralised identity systems create catastrophic breach risks and enable surveillance. UK should learn from Aadhaar's failures.

10. VPN interaction with UK digital ID requirements

Do VPNs bypass One Login requirements?

Short answer: No. One Login is account-based authentication; VPNs do not circumvent it. Accessing government services requires logging into your One Login account regardless of IP address. However, VPNs play a critical role in limiting the surveillance metadata generated by digital ID systems.

VPN detection techniques platforms use

Age verification providers and government services increasingly deploy VPN detection to enforce geographic restrictions and combat circumvention. The Age Verification Providers Association (AVPA) has lobbied for a model that treats VPN use as a "risk signal" requiring escalated verification. [51] Common detection techniques include:

AVPA's "risk-based" VPN response escalation

The Age Verification Providers Association recommends platforms implement a tiered response when VPN use is suspected: [51]

1. Low confidence VPN detection: Require re-authentication or additional verification step (e.g., SMS code to UK mobile number)
2. Medium confidence: Force document upload (driving licence, passport) or biometric age estimation
3. High confidence: Mandate one-time GPS check or deny access entirely

Privacy concern: This escalation model creates perverse incentives. Privacy-conscious adults using VPNs face heightened friction and invasive checks, while determined evaders (teens using residential proxy services or borrowing parent IDs) sail through. The approach penalizes privacy protection without improving safety outcomes.

VPN use cases for UK digital ID privacy

1. Accessing UK services from abroad

British expats and travelers frequently encounter geographic blocks when accessing HMRC (tax filing), DWP (pension/benefits), or DVLA services from overseas. VPNs with UK server locations make it appear you're connecting from the UK. Note: You still authenticate via One Login; VPN only solves the IP geofence, not identity verification.

• Recommended VPNs for UK server access: NordVPN (London/Manchester servers), Surfshark (multiple UK locations), ProtonVPN (UK-based Secure Core)
• Avoid: Free VPNs (Hola, TunnelBear free tier) often leak DNS or sell bandwidth

2. Privacy from ISP surveillance

Without a VPN, your ISP (BT, Virgin Media, Sky) sees every government service you access: tax.service.gov.uk (HMRC filing), apply-for-a-passport.service.gov.uk, etc. UK ISPs are subject to the Investigatory Powers Act 2016, requiring retention of Internet Connection Records (ICRs) for 12 months. [52] ICRs include:

• Domains/URLs accessed
• Timestamps and session duration
• IP addresses of both user and destination server

VPNs encrypt traffic between your device and VPN server, so ISPs only see: user connected to vpn-server.nordvpn.com. They cannot see which government services you accessed. This prevents ISPs from building comprehensive profiles of your interactions with the state.

3. Avoiding IP-based correlation across services

One Login logs IP addresses for each service access. [15] Without a VPN, GDS can correlate: "User at IP 203.0.113.42 accessed HMRC (09:15), DWP (11:30), DVLA (14:00) on 15 Oct 2025." With a VPN, each session shows a different VPN server IP, preventing time-based correlation of service access patterns.

Limitation: Account-based correlation still occurs (GDS knows your One Login account accessed those services). VPN only prevents IP-layer correlation, which matters if your IP address is shared (home network, workplace, public WiFi).

4. Right to Rent and Right to Work: limited VPN utility

Right to Rent/Work checks occur offline (landlord/employer verifies your documents in person or via postal check). VPNs don't help here. However, if you're using the Home Office View and Prove online service to generate share codes, a VPN can:

• Hide location metadata: Prevent Home Office from logging your residential IP address (which could be cross-referenced with housing databases)
• Access from restricted networks: Workplace or hotel networks sometimes block Home Office domains; VPN circumvents blocks

Defeating VPN detection: advanced privacy techniques

For users facing aggressive VPN detection (e.g., when accessing age-gated content or services that escalate verification), these techniques improve anonymity:

Legal status and risks

VPN use is legal in the UK for accessing government services, circumventing age verification, or privacy protection. Unlike Michigan's proposed VPN ban (HB 4938) or Russia's VPN criminalization, the UK does not restrict VPN usage. [53]

However: Using a VPN to circumvent age verification to access illegal content (e.g., child sexual abuse material) remains illegal under existing laws (Protection of Children Act 1978, Criminal Justice Act 1988). VPN providers comply with law enforcement requests in serious crime investigations.

Terms of Service considerations: Some platforms (Netflix, BBC iPlayer) prohibit VPN use in their ToS. Violating ToS can result in account suspension but is not a criminal offense. Government services (One Login, HMRC, DWP) do not prohibit VPN use in their terms.

Bottom line: VPNs limit metadata, not identity requirements

VPNs protect against ISP surveillance, IP-based correlation, and geographic restrictions. They do not eliminate identity verification requirements for One Login, Right to Rent, Right to Work, or age verification. When platforms escalate to document upload or biometric checks due to VPN detection, the privacy benefit evaporates.

The best privacy outcome combines VPN use for metadata protection with advocacy for PET-first digital ID systems (Section 10) that minimize identity disclosure in the first place.

11. The path forward: privacy-preserving alternatives

The UK's current digital ID approach sacrifices privacy for convenience. Privacy-preserving alternatives could enable identity verification while protecting civil liberties.

Decentralised identity (Self-Sovereign Identity / SSI)

SSI systems store credentials on user devices (not government servers). Users prove identity via cryptographic signatures; services verify signatures without querying central databases. W3C Verifiable Credentials standard enables interoperable SSI. [30]

Example: Instead of One Login storing your driving licence, DVLA issues a digitally-signed credential to your phone. When HMRC needs to verify your identity, you share the credential; HMRC verifies DVLA's signature. No central database; no cross-service tracking.

Zero-knowledge proofs (ZKPs)

ZKPs enable proving attributes without revealing underlying data. Examples:

• Prove you're over 18 without revealing exact DOB
• Prove you have right to work without revealing visa type or expiry date
• Prove you're a UK resident without revealing exact address

ZKPs prevent surveillance by revealing only the minimum necessary information. [31]

Attribute-based credentials (ABCs)

ABCs allow selective disclosure of attributes. Your e-ID might contain: name, DOB, address, nationality, right to work, driving licence number. When accessing a service, you choose which attributes to share.

Right to Rent example: Instead of sharing full immigration status with landlords, you share a "right to rent" credential (yes/no) issued by Home Office. Landlord verifies credential signature; no immigration details disclosed; no Home Office surveillance.

Policy recommendations

1. Adopt EU eIDAS 2.0 standards: Align UK Digital Identity with eIDAS Wallets for interoperability and privacy protections (selective disclosure, user control).
2. Abolish Right to Rent: End landlord immigration checks; replace with government-issued "right to rent" credentials that landlords verify without disclosing immigration details.
3. Independent oversight: Create Digital Identity Commissioner with powers to audit One Login, Right to Work, and other verification systems. Publish annual transparency reports.
4. Data minimization: Prohibit One Login from retaining cross-service query logs beyond operational necessity (e.g., 30 days for fraud detection, then delete).
5. Digital inclusion: Mandate offline alternatives for all One Login services; ensure 100% of population can access government services without digital ID.
6. Explore privacy-preserving tech: Pilot ZKP-based age verification (Online Safety Act compliance), SSI for healthcare (NHS), and ABC-based Right to Work.

12. The case for digital identity: efficiency vs surveillance

Proponents of the Brit Card, One Login, and digital verification systems argue these tools deliver measurable benefits: reduced fraud, streamlined service delivery, and modernized governance. These are legitimate objectives. The question is not whether digital ID can achieve these goals, but whether privacy-preserving architectures can achieve them WITHOUT surveillance infrastructure.

The efficiency case

• Welfare fraud reduction: The Department for Work and Pensions estimates that benefit fraud costs £2.3 billion annually (2023-24). [54] Digital ID could reduce this by detecting duplicate claims, cross-referencing income/employment data, and preventing identity theft. However, the same outcomes could be achieved via privacy-preserving attribute verification (Section 10) without comprehensive surveillance.
• Streamlined service delivery: One Login reduced average tax filing time from 47 minutes (2019, pre-One Login) to 23 minutes (2024, post-One Login). [55] Users no longer juggle multiple government logins. Estonia's e-ID demonstrates similar efficiency gains, but with distributed architecture that prevents surveillance.
• Immigration enforcement: Home Office argues Right to Work checks detected 15,000 illegal workers between 2020-2022, preventing employment of undocumented migrants. [21] However, the same enforcement could use privacy-preserving credentials (yes/no "right to work" token) without tracking where foreign nationals apply for jobs.
• Modernizing outdated physical IDs: Paper driving licences, passports, and physical documents are vulnerable to forgery, loss, and damage. Digital credentials offer tamper-proof cryptographic verification. EU eIDAS 2.0 achieves this with selective disclosure; the UK could adopt similar standards.

Why efficiency doesn't require surveillance

The evidence from Estonia (Section 8) and EU eIDAS 2.0 (Section 8) proves that efficiency and privacy are compatible. Estonia's X-Road delivers 99% of government services online while preserving user transparency (citizens can see every data access). EU Digital Identity Wallets enable selective disclosure, allowing users to prove "over 18" without revealing exact birth dates, or "right to work" without revealing visa types.

The UK's choice to build One Login as a centralised system (vs distributed X-Road-style architecture) and to mandate comprehensive Right to Rent/Work logging (vs privacy-preserving credentials) reflects policy choices, not technical limitations. Privacy-by-design systems cost no more to build and deliver equivalent anti-fraud outcomes.

The steelman: when is surveillance justified?

Advocates for comprehensive logging argue that audit trails are necessary for:

• Fraud investigations: Detecting organized benefit fraud rings requires cross-service correlation (matching DWP unemployment claims against HMRC PAYE records)
• National security: Tracking suspected terrorists or foreign agents via their interactions with government services
• Safeguarding vulnerable populations: Identifying victims of human trafficking through patterns of repeated Right to Work denials or housing applications

Counterargument: These scenarios require targeted surveillance with judicial oversight (warrants, proportionality tests), not universal surveillance of the entire population. The current architecture enables warrantless profiling of 20 million One Login users, 15 million Right to Work checks annually, and comprehensive housing application tracking, all without independent oversight or transparency. Estonia demonstrates that targeted fraud detection works with distributed architectures; universal logging is not necessary.

The bottom line

Digital identity systems can reduce fraud, streamline services, and modernize government, without building surveillance infrastructure. The UK's choice to centralise One Login, mandate comprehensive Right to Rent/Work logging, and proceed with Brit Card without statutory privacy guardrails reflects policy preferences for control over citizens' engineering constraints. Privacy-preserving alternatives exist, cost no more, and deliver equivalent outcomes. The question is political will.

13. What you can do: protecting your privacy rights

Digital ID surveillance is not inevitable. Citizens, developers, and activists can push back through data access requests, technical countermeasures, and political pressure. Here's how to protect your rights and demand better systems.

For individuals: asserting your rights

1. Request your One Login data (GDPR Article 15)

You have the legal right to see what data One Login holds about you. Submit a Subject Access Request (SAR) to GDS:

2. Exercise Article 17 erasure rights with age verification vendors

If you've used Yoti, Onfido, or other vendors for age verification, request deletion of your biometric data:

Note: Vendors often refuse erasure requests citing "legal obligations." If refused, escalate to the ICO (ico.org.uk/make-a-complaint) with copies of your request and their refusal.

3. Contact your MP: demand PET-first Brit Card or halt rollout

Find your MP at parliament.uk/mps-lords-and-offices/mps/ and send this template:

For developers and businesses

Adopt privacy-preserving alternatives to Yoti/Onfido

• W3C Verifiable Credentials: Open standard for decentralised identity. Libraries: w3c/vc-data-model (JavaScript), SpruceID DIDKit (Rust/mobile)
• On-device age estimation: Run facial age estimation locally (no server upload). Example: DeepFace with age detector (Python/JavaScript)
• Zero-knowledge proof libraries: SnarkJS (zkSNARKs), Bulletproofs (range proofs)

For activists and civil society

Join and support privacy campaigns

• Big Brother Watch – bigbrotherwatch.org.uk (leading Brit Card opposition)
• Liberty – libertyhumanrights.org.uk (Right to Rent legal challenges)
• Open Rights Group – openrightsgroup.org (digital rights advocacy)
• Privacy International – privacyinternational.org (global digital ID research)

Track Brit Card pilot and submit FOI requests

When Brit Card pilots launch (expected Q1 2026), submit Freedom of Information requests to participating departments asking:

• How many people enrolled?
• What data is logged per verification?
• Are audit logs accessible to users?
• Which vendors were contracted and what are their data retention policies?

Submit FOI requests via WhatDoTheyKnow.com (public FOI request platform).

14. What to watch next (6-18 months)

The Brit Card rollout, One Login expansion, and Right to Rent/Work enforcement will shape UK digital identity policy through 2026-27. Key milestones to track:

Q1 2026: Brit Card pilot launch

• Target groups: Veterans, public-sector workers (civil servants, NHS staff), with plans to expand to wider population by Q4 2026. [39]
• What to watch:
  • Vendor selection: Which companies win GOV.UK Wallet integration contracts? (Yoti, Onfido, or new entrants?)
  • Data retention policies: Are audit logs accessible to users, or opaque like One Login?
  • Voluntary vs coercive adoption: Do pilot participants face pressure to enroll (e.g., faster benefits processing, preferential employment)?
• Metric to track: Pilot enrollment rate. If <30% uptake among eligible groups, government may add incentives (or mandates).

Q2 2026: Digital Verification Service regulations finalized

• What's at stake: The Data Protection and Digital Information Bill (No. 2) would create a DVS inside government to broker identity attributes between departments and private firms. [33, 34]
• What to watch:
  • Persistent identifiers: Do regulations allow stable tokens that enable cross-service linkage?
  • Private-sector access: Can banks, landlords, and employers query DVS without individual consent per transaction?
  • Purpose limitation clauses: Are there statutory limits on data reuse, or can DVS attributes be repurposed without restriction?
• Key deadline: Bill expected to pass by summer 2026; secondary regulations will define DVS scope.

Q3 2026: One Login mandatory for housing/employment checks?

• Current status: Right to Work/Rent use separate Home Office systems. Ministers floated integrating them into One Login or Brit Card.
• What to watch: Parliamentary debate on whether Right to Rent should be replaced with Brit Card credentials. Liberty and JCWI are likely to challenge any expansion via judicial review.
• Metric: Number of Right to Rent discrimination cases (JCWI tracks this). If cases spike, it strengthens the abolition argument.

Ongoing: Litigation and judicial review

• Windrush compensation claims: Thousands of pending claims from wrongful Right to Work/Rent denials. Payouts could exceed £500 million, creating political pressure to reform. [22]
• Right to Rent judicial review (round 3): Liberty may file another challenge if discrimination evidence strengthens. Previous High Court ruling (2019) found unlawful discrimination before Court of Appeal reversal. [20]
• Brit Card legal challenges: If 2.8M-signature petition leads to parliamentary debate and rejection, civil liberties groups may pre-emptively challenge Brit Card legislation on Article 8 ECHR (privacy) grounds.

2027-2029: Full Brit Card rollout and enforcement

• Mandatory Right to Work checks: Government committed to making Brit Card compulsory for employment verification by end of current Parliament (2029 at latest). [39]
• What to watch:
  • Small business compliance: Can micro-businesses afford Brit Card integration, or do they geo-block/shut down like post-OSA age verification?
  • VPN circumvention: If Brit Card includes GPS checks, expect spike in VPN/location spoofing tools
  • Public backlash: If adoption remains <50% voluntary, government may mandate (triggering another civil liberties fight)

Transparency metrics to demand

Use FOI requests and parliamentary questions to demand these metrics from GDS and Home Office:

• One Login adoption rate: How many eligible UK adults have accounts? (currently 20M / ~50M adults = 40%)
• Cross-service query frequency: How many times per day does HMRC/DWP/DVLA query One Login for user data?
• Right to Rent/Work check volumes: How many checks per year, broken down by nationality of applicant?
• Brit Card pilot outcomes: Enrollment rate, user satisfaction scores, privacy incidents
• Vendor contracts: Total value of Yoti/Onfido contracts; data retention terms; breach notification clauses

15. References