Keep BritCard data in citizens’ hands, not government servers
The UK government has announced plans to roll out a nationwide digital ID, or 'BritCard', designed to prove the right to work and facilitate easier access to government services.
Digital IDs are already standard practice across the EU, Canada, and China, but only 14% of Brits support the proposal.
The public's biggest fears? Privacy, data security, and yet another expensive government project. Over half of Britons don't trust the government to handle their personal data securely.
And rightly so.
The UK government's reputation for technical fumbles is shocking. It has a history of littering its large-scale data systems with failures.
From the Passport Agency meltdown of 1999 to the Criminal Records Bureau delays that left thousands unable to start work. Each suffered from incorrect data, high costs, and poor data management.
The government plans to store BritCards on a centralised database – a single, massive vault containing the name, date of birth, nationality, residency status, and a photo of every registered citizen.
This would present a jackpot for hackers. It's like putting everyone's passport, driver's licence, and tax record in one filing cabinet, then handing the key to a private contractor.
It creates a single attack vector through which bad actors could access the identities, addresses, and biometric data of the entire nation.
A breach on this kind of centralised database wouldn't just be embarrassing – it would be catastrophic. The costs of lawsuits and system failures could amount to billions and destroy whatever public trust remains in the government.
The safest solution is to scrap the idea entirely. Hackers can't steal data that's not being held, and the best way to prevent a cyber breach is to avoid the possibility of it entirely. But if the government insists on pressing ahead, it must find a better way of doing it.
The solution is simple – decentralise the data.
Every citizen's BritCard data should be stored locally on their own device and protected by that device's encryption. The government could then verify the card's credentials at essential touchpoints, but never hold the data.
This would transform a single attack vector into tens of millions of vectors. A hacker would have to work to compromise a single individual's data at a time. Suddenly, there's no jackpot.
This has been done before. The EU's Self-Sovereign Identity framework relies on decentralised, user-controlled IDs. Using the European Blockchain Services Infrastructure, individuals can exercise control over their own digital identities, proving that digital identity can be both functional and secure.
As well as protecting individuals, a decentralised system would protect the government. Centralised databases pose a significant threat to national security.
Now imagine what they could do with direct access to a centralised digital ID database – a live map of the British population, their movements, and biometric data.
It's the holy grail of cyber espionage. A breach like that wouldn't just expose personal information. It could paralyse essential systems, shut down public services, and erode national trust overnight.
State-backed cyber units already target Britain's critical infrastructure daily. Earlier this year, the UK's National Cyber Security Centre warned that Russian and Chinese-linked hackers had compromised government departments and local councils.
A centralised database is also just bad business for the government. If a data set of this size and sensitivity were compromised, it would cause a financial disaster. The government could be forced to spend billions on lawsuits filed by citizens whose data has been exposed and even more on repairing the failing system.
Centralised systems also age badly. The larger and older they get, the more fragile they become. They depend on software that quickly becomes outdated, making them easier to exploit and almost impossible to modernise without a system-wide shutdown.
A decentralised system fixes this. Data is distributed across many encrypted connection points, called nodes, rather than a single server. If one node fails or is compromised, updates target the affected nodes, while the rest keep running. It's the cybersecurity equivalent of sealing a leak before it floods the house.
Beyond security for citizens and the government, there's an ethical principle at stake: personal data belongs to the individual.
Storing citizens' digital identities in a centralised database and giving the government control over their sensitive information amounts to treating people like data assets.
This is the first step towards a surveillance state – one where constant tracking, profiling, and breaches of privacy aren't exceptions, but expectations. Following the UK government's recent efforts to access its citizens' private Apple data via a backdoor, privacy advocates have raised serious concerns over data security.
Decentralisation preserves individual ownership. Individuals control their own data, decide when and how to share it, and maintain sovereignty over their digital identities.
Of course, decentralisation isn't a silver bullet. Phishing attacks and localised hacks will still occur, and not everyone has the same digital literacy or access to secure devices.
For the elderly or those without the right technology, alternatives must be built in. But these can be addressed with a chip-based physical card that holds your data, like the Smart ID currently used in South Africa.
If the government ignores this advice and presses on with a centralised database for the BritCard, it's not a question of if it will be breached – but when. This system puts a giant target on the nation's back by building the largest-ever honeypot of personal data while daring hackers to take a chance.
Britain's digital future must be secure, not convenient. Data is identity - and identity belongs in the hands of the individual.
Michael Marcotte is the Co-Founder of the US National Cybersecurity Centre (NCC) and previously served as Chair of its Rapid Response Centre. He is also the Founder, Chairman, and CEO of artius.iD.
