Most active commenters
  • philipallstar(3)

←back to thread

Britain to introduce compulsory digital ID for workers

(www.reuters.com)
525 points alex77456 | 24 comments | 26 Sep 25 02:09 UTC | HN request time: 0.953s | source | bottom
Show context
aftergibson ◴[26 Sep 25 11:52 UTC] No.45385420[source]
A secure, optional digital ID could be useful. But not in today’s UK. Why? Because the state has already shown it can’t be trusted with our data.

- Snoopers’ Charter (Investigatory Powers Act 2016): ISPs must keep a year’s worth of records of which websites you visit. More than 40 agencies—from MI5 to the Welsh Ambulance Service—can request it. MI5 has already broken the rules and kept data it shouldn’t have.

- Encryption backdoors: Ministers can issue “Technical Capability Notices” to force tech firms to weaken or bypass end-to-end encryption.

- Online Safety Act: Expands content-scanning powers that experts warn could undermine privacy for everyone.

- Palantir deals: The government has given £1.5 billion+ in contracts to a US surveillance firm that builds predictive-policing tools and runs the NHS’s new Federated Data Platform. Many of those deals are secret.

- Wall-to-wall cameras: Millions of CCTV cameras already make the UK one of the most surveilled countries in the world.

A universal digital ID would plug straight into this ecosystem, creating an always-on, uniquely identified record of where you go and what you do. Even if paper or card options exist on paper, smartphone-based systems will dominate in practice, leaving those without phones excluded or coerced.

I’m not against digital identity in principle. But until the UK government proves it can protect basic privacy—by rolling back mass data retention, ending encryption backdoor demands, and enforcing genuine oversight—any national digital ID is a surveillance power-grab waiting to happen.

I'm certain it's worked well in other countries, but I have zero trust in the UK government to handle this responsibility.

replies(21): >>45385507 #>>45387492 #>>45389428 #>>45389950 #>>45390081 #>>45390083 #>>45390337 #>>45390348 #>>45390643 #>>45390732 #>>45391157 #>>45391185 #>>45391616 #>>45391657 #>>45392188 #>>45392686 #>>45394187 #>>45394216 #>>45397954 #>>45402490 #>>45403873 #
1. qazwsxedchac ◴[26 Sep 25 19:23 UTC] No.45390083[source]
The ID cards as realized in many other countries are comparatively benign, because they are a physical credential in the possession of the person concerned. The government cannot stop this credential from being used except by physically confiscating it or by waiting (years) for it to expire. Distributed storage in action.

The UK's proposal makes the "digital ID" a pointer to an entry in a centralized database. This database is the definitive record of what you are allowed to do or not do (like reside and work). Which can be changed or deleted at the stroke of a key, through human error or malice. Then what?

When (not if) the database becomes an attribute store across a wider scope, the implications are scary. The "digital ID" as set out today can't work for its ostensible purpose. Therefore its actual purpose isn't being declared. Not hard to connect the dots.

replies(9): >>45390573 #>>45390721 #>>45390806 #>>45390896 #>>45392414 #>>45392481 #>>45392635 #>>45403938 #>>45411307 #
2. philipallstar ◴[26 Sep 25 20:11 UTC] No.45390573[source]
I'm against the ID, but the more good faith reason for a database entry is it should eliminate fake IDs.
replies(6): >>45390600 #>>45390710 #>>45390714 #>>45390929 #>>45392112 #>>45393157 #
3. protimewaster ◴[26 Sep 25 20:15 UTC] No.45390600[source]
Doesn't a physically held digital ID also do that? Assuming the encryption is strong, verifying that the data on the ID has the proper cryptographic signature should provide assurance that the ID is real, shouldn't it?

I guess, depending on how it's implemented, maybe an ID could be cloned and still appear valid, but that seems like a possibility for the UK's approach as well (the clone would just point to the same database entry).

replies(2): >>45391278 #>>45391383 #
4. kristianc ◴[26 Sep 25 20:29 UTC] No.45390710[source]
"Just one more bit of regulation will solve the problem" is how Britain became the most centralised country in Western Europe. The sad thing is that the majority of the population still buy it.
replies(1): >>45394055 #
5. XorNot ◴[26 Sep 25 20:30 UTC] No.45390714[source]
The actual reason is everyone has a phone.

We have this is NSW in Australia: the Services NSW app provides a digital drivers license which is guaranteed to be accepted by authorities as legitimate.

6. crazygringo ◴[26 Sep 25 20:31 UTC] No.45390721[source]
> The government cannot stop this credential from being used except by physically confiscating it or by waiting (years) for it to expire

This is not true. Government agencies generally look up your ID as necessary to check if it's still valid.

Stopped for speeding? The cop is going to look up your driver's license.

Leaving the country? They're running your passport number.

Starting a job? They're checking the status of your SSN.

The physical ID is good enough for low-stakes stuff like renting a car with a driver's license, or proving your age to get into a bar. But it's already not trusted on its own for any of the serious stuff you're talking about, like where you can reside and work.

replies(2): >>45391177 #>>45392607 #
7. Muromec ◴[26 Sep 25 20:40 UTC] No.45390806[source]
>The government cannot stop this credential from being used except by physically confiscating it or by waiting (years) for it to expire. Distributed storage in action.

Not really. It's part of identity management or whatever it's called to have an ability to recall ids, because they get lost, stolen and people to who they are issued die.

>When (not if) the database becomes an attribute store across a wider scope, the implications are scary.

What are the scary implication really? Most of the EU and beyond has some kind of login to the government capability. And?

What's the threat model really? The government will revoke your fancy thing to report taxes digitally for no reason and bankrupt you? They can do so without such roundabout ways.

replies(1): >>45391495 #
8. squidbeak ◴[26 Sep 25 20:50 UTC] No.45390896[source]
No the proposal is in line with your first paragraph. 'Attribute level proofs' (cyptographically signed data) stored in the user wallet, with those signatures coming from verification companies polling an API in front of government departments. The other side of it is a trust registry holding verification service public keys for signature checks..
9. squidbeak ◴[26 Sep 25 20:54 UTC] No.45390929[source]
The op is incorrect. The 'database entry' is the one that exists right now at the DVLA for driving licenses or HMPO for passports. Private sector verification services poll that data to verify the data entered by the user in onboarding. That's it.
10. psnehanshu ◴[26 Sep 25 21:25 UTC] No.45391177[source]
Which means they are already a "pointer" to a record in a centralised database.
11. philipallstar ◴[26 Sep 25 21:38 UTC] No.45391278{3}[source]
Yes, I think you're probably right. But it still solves other problems such as "the app is a lookalike". If the app is basically an ID delivery mechanism that allows an operator to call up your photo, it becomes a relatively foolproof way to identify you accurately.
12. grues-dinner ◴[26 Sep 25 21:52 UTC] No.45391383{3}[source]
In a good modern implementation, it should be extremely hard to produce a physical card with an authenticated pointer to the database, because that would be also signed.

But considering that they've been retiring things like biometric residence cards in favour of web-based systems, it's possible there will be no physical component.

13. aembleton ◴[26 Sep 25 22:06 UTC] No.45391495[source]
Post something the government doesn't like, and you can no longer get a job, but you never find out why.
14. southernplaces7 ◴[26 Sep 25 23:33 UTC] No.45392112[source]
>but the more good faith reason for a database entry is it should eliminate fake IDs.

Really? If anything it would make them easier. Hackers routinely break into government databases to exfiltrate information. An ID attribute databases would be no exception, for exfiltration, or simply modification of data. Ie: creating a fake ID.

replies(1): >>45411975 #
15. closeparen ◴[27 Sep 25 00:32 UTC] No.45392414[source]
>When (not if) the database becomes an attribute store across a wider scope, the implications are scary.

Penury and deportation are quite a bit of scope already! Maybe they'll put an "arrest" bit in there. Warrants are already a thing. I don't see the UK going in for murder just yet. What's left?

16. ajsnigrutin ◴[27 Sep 25 00:47 UTC] No.45392481[source]
Not just that, but currently, requiring real data to register to eg. social networks (reddit, hn,...) is hard. With everyone having a digital ID on their phones, tying their identity to their real ID will be easy, you'll just "sign" (or whatever) your reddit registration with your ID and your real name will be tied to that account. Combine this with EU chat control (and UK alternatives.. and well, EU digital ID alternatives), and the era of semi-anonymous internet use is over.
17. tempay ◴[27 Sep 25 01:25 UTC] No.45392607[source]
Even for renting a car these days you need a verification code that you can request from the DVLA using your national insurance number.
replies(1): >>45403436 #
18. slt2021 ◴[27 Sep 25 01:33 UTC] No.45392635[source]
SSL has Certificate Revokation List, this could be implemented for Digital ID as well.

In fact, if British Digital ID is based on PKI, then CRL will come out of the box

https://en.wikipedia.org/wiki/Certificate_revocation_list

19. nine_k ◴[27 Sep 25 04:09 UTC] No.45393157[source]
Good public key cryptography should make it pretty hard. Yes, rotate the IDs every 10 years, with a new photo and using a new private key.
20. jimnotgym ◴[27 Sep 25 08:22 UTC] No.45394055{3}[source]
There was recently a request by the police for new laws about overpowered electric bicycles being ridden on pavements. Yes, they want a law against riding an already illegal vehicle in a place it is already illegal to ride it.

Now they want to make it illegal for employers to illegally give a job to people it was already illegal to give a job to by making them have a new ID, when it was already illegal to give someone a job without getting proof of their right to work in the UK!

You are 100% right

21. tomatocracy ◴[28 Sep 25 11:03 UTC] No.45403436{3}[source]
The physical card is sufficient to prove you have permission to drive. This code is for them to check how many points you have on your licence and what for. There used to be a paper counterpart to the card which showed this which they withdrew a few years ago.

In reality I've never been asked for the code when renting cars (outside the UK), the physical card seems to generally be sufficient for the hire companies.

22. jnxx ◴[28 Sep 25 12:47 UTC] No.45403938[source]
> The UK's proposal makes the "digital ID" a pointer to an entry in a centralized database.

Very similar to the "EU settlement scheme" which would gave EU citizens which had work and settled in the UK pre-Brexit after a very lengthy and non-deterministic application process the right to stay without any paper document to prove that they actually got that right. Just a database entry on a government computer. Too bad if an extreme right-wing goverment came to power and something happened to that database.

23. beefnugs ◴[29 Sep 25 07:53 UTC] No.45411307[source]
Hey we can make a new style of cooperative VPN: everyone shuffles all their traffic and uses each others IDs randomly so the data makes less sense
24. philipallstar ◴[29 Sep 25 10:01 UTC] No.45411975{3}[source]
How are you creating a fake ID by taking data, though?