In the weeks since Prime Minister Keir Starmer said the UK would introduce digital ID cards, opposition has mounted across party and demographic lines with 2.9 million people signing petitions against the move.  

Now the British government is hoping that a test of the digital ID using military vets will prove successful and soothe concerns over the plan, which will see digital forms of every type of credential issued by the government come to fruition by the end of 2027. In the mean time, the vet card will be available via smart phone app to 1.8 million people. 

Starmer’s announcement of the shift to digital IDs had prompted an outcry from privacy watchdogs and citizens who voiced fears that the government would use the IDs to track citizens. That’s something that government technology secretary Liza Kendall referred to as “scaremongering,” according to a report in The Guardian, while praising the ID’s ability to make it easier for users to access government services.  

Veterans group have had mixed reactions to using their constituency as a test group for the larger roll out of digital IDs with Stephen Kent, the media director of Veterans Association UK, panning the plan and the Royal British Legion veterans’ charity calling it “a positive development.” 

Concerns over the digital IDs are not unfounded. Governments around the world have proposed similar plans, but to date, not one “has demonstrated the ability to fully protect individual data at national scale,” says Raymond Barr, CISO at Cequence Security. In fact, history has shown just the opposite at a time when threat actors have ratcheted up attacks on government.  

“With sensitive data potentially residing across government systems, personal devices, and employer verification channels, bad actors have multiple pathways to exploit,” he says. “Even with compensating controls, the move toward digital identity at first glance creates more opportunities for attackers.” 

Identity theft, says Black Duck Senior Staff Consultant Nivedita Murthy, “remains a longstanding issue that has proven difficult to resolve.”

Government databases that contain sensitive citizen information “have been compromised globally, putting citizens at risk and jeopardizing the services they depend on,” she says. 

That’s particularly true in the UK, where Barr says government infrastructure is “under sustained pressure.” In 2024 alone, he explains, “the NCSC handled 430 cyber incidents, most involving data exfiltration and high-profile breaches have hit everything from the Electoral Commission to Parliament.” 

The UK government has promised to protect data, which will reside locally in the GOV.UK Wallet app on a smartphone, with state-of-the-art encryption. “At the same time, for employers, landlords, and service providers to validate credentials, some level of centralized government system will almost certainly be required for verification, cross-referencing, or recovery,” says Barr. “That means adversaries will have not one, but three attractive targets: the individual device, the government systems, and the employer/service provider verification channels.” 

To actually work in practice, “this model requires hardware-based encryption, biometric safeguards and simple recovery options” and simultaneously, “the government and any connected, third-party providers will be prime targets,” says Darren Guccione, CEO and co-founder of Keeper Security.  

Protecting that infrastructure, he says, “demands strict PAM enforcement with continuous monitoring and segmentation to reduce the risk of insider threats or supply-chain compromise.” 

Ultimately, though, Guccione believes “the success of the UK’s digital ID initiative will rest not just on functionality, but on embedding zero-trust principles, robust operational controls and meaningful privacy guarantees from the outset.” 

The program will have to strike “the right balance between security, usability and transparency will determine whether digital ID can achieve its stated goals of protecting state interests while continuing to safeguard individual rights,” says Guccione. 

The UK also will have to earn the public trust. To do so, the government “must demonstrate that its system is secure, transparent and user-friendly,” he says. “That requires clear privacy safeguards, independent audits, strong encryption to protect sensitive personal information and simple recovery options if your device is lost or stolen.”