Britain’s push to roll out a new national digital identity card, the so-called “Brit card,” is being hailed by ministers as a step toward modern governance. But experts warn the scheme could just as easily become a liability — a single point of failure and a target for hackers.
The government says the card, reportedly inspired by Estonia’s digital ID model, would consolidate key identity information and allow checks via a smartphone app before citizens can start a job or sign a rental agreement. Prime Minister Keir Starmer has framed it as a modernization of public services. Yet critics say the very design of the scheme risks creating what one expert calls a “national honeypot” of sensitive data.
“Digital ID can cut paperwork and help stop exploitation,” Marc Porcar, CEO of QR Code Generator told Afcacia. “But if you build a digital ID around a singular, delicate hub or collect more data than you need, you create a national honeypot. That is both a security risk and a trust killer. The UK should copy the best parts of Europe’s wallet approach and ban any tracking of where people use their ID.”
In the 2000s Prime Minister Keir Starmer’s Labour Party, then led by Tony Blair, attempted to introduce a physical identity card, but the plan was eventually dropped by Blair’s successor, Gordon Brown, after years of opposition that called it an infringement of civil liberties. Britons have not been issued with identity cards since their abolition after World War Two, and typically use other official documents such as passports and driving licences to prove their identity when required.
The concept by the current UK governemnt is not hypothetical. In 2017, Estonia — widely seen as the pioneer of digital government — was forced to suspend or replace hundreds of thousands of ID-card certificates after a cryptographic flaw known as ROCA was discovered.
“A weakness in the ‘digital locks’ meant many keys had to be changed at once, like urgently recalling locks on most front doors in the country,” Porcar said. “The UK must assume such events will happen and rehearse rapid, mass key rotation ahead of time.”
Reliability is another concern. “The system simply working every day is just as important as cryptography,” Porcar noted, pointing to an outage in November 2023 when Estonia’s ID-card system went down for hours, cutting off access to banking and public services. In a British context, he warned, a similar outage could stall hiring and tenancy agreements if no offline fallback exists.
Identity theft risks are also growing. The Brit card, according to early mock-ups, will likely incorporate driving licences and home addresses. Porcar said this expansion raises the stakes for fraud. “During the initial onboarding phase and eventual recovery step if you lose your phone, the system should follow ENISA’s high-assurance guidance. Opening an account should be as rigorous as getting a passport, and getting back in after losing access should be at least as strong, without any ‘text me a code’ shortcut that criminals can hijack.”
Britain’s telecom vulnerabilities make the problem sharper. “Criminals also target the mobile number itself through SIM-swap attacks, convincing a network to transfer your number to their SIM so they receive your security codes,” Porcar explained. “In the UK, SIM-swap incidents surged by 1,055%, according to Cifas, and Ofcom has been forced to tighten telecom security. If codes arrive by text, a fraudster who hijacks your number can reset your accounts. The solution is to avoid text verification for high-risk actions and use phishing-resistant methods like device-bound passkeys.”
Privacy, too, is at stake. Porcar stressed that Europe’s rules already require “unobservability,” meaning providers cannot collect information on where or how IDs are used. Estonia even offers a public “Data Tracker” tool that logs who has accessed personal records. “The UK should copy both ideas: prohibit location collection and give citizens a clear audit view,” he said.
Governance could be the Brit card’s Achilles’ heel. Porcar urged Britain to bind the program to the Digital Identity and Attributes Trust Framework and enforce strict data protection reviews to prevent “mission creep.” “Europe’s rules already show the way: no tracking of wallet use and strict data minimisation,” he said.
If done correctly, Porcar acknowledged, Britain could follow Estonia’s lead in unexpected ways, even extending digital ID toward secure electronic voting. “If done right, we might see the electronic vote via mobile phones, another iconic Estonian model, implemented using the digital ID,” he said.
For now, however, the bigger question is whether Britain is prepared to learn the hard lessons from Estonia’s experiments. A digital ID could streamline bureaucracy and unlock new services. Or it could create what critics call the most valuable target in the country — a single system holding the keys to work, housing and citizenship.