Navigating the Perils of Digital ID: A Step-by-Step Guide to Evaluating Government Proposals

Introduction

In September 2024, UK Prime Minister Keir Starmer announced plans for a national digital ID scheme, designed to let citizens store identity information—like name, date of birth, nationality, and photo—on personal devices to verify their right to live and work. Since then, the Electronic Frontier Foundation (EFF) joined 12 other civil society organizations in urging Parliament to reject the proposal, citing fundamental flaws. This guide translates the EFF's submission into a practical, step-by-step evaluation framework. Whether you’re a policymaker, advocate, or concerned citizen, follow these steps to dissect any digital ID proposal and understand why even the strongest safeguards cannot fix its core problems.

Navigating the Perils of Digital ID: A Step-by-Step Guide to Evaluating Government Proposals — Source: www.eff.org

What You Need

Before diving into the steps, gather these materials and perspectives:

Full text of the proposed digital ID scheme – including technical specifications, governance rules, and enforcement mechanisms.
Knowledge of existing privacy laws like UK GDPR and the Human Rights Act (Article 8).
Representative input from marginalized communities – think about how exclusion or bias may affect them.
Civil society reports from organizations like EFF, Privacy International, and Open Rights Group.
A willingness to question “safeguards” – even the best-intentioned rules can fail in practice.
Time and open-mindedness to follow each step without skipping ahead.

Step-by-Step Evaluation Process

Step 1: Identify Potential for Mission Creep

Start by examining the scope of the proposed ID system. Ask: Is it initially limited to proving work eligibility, or does it allow future expansion? In the UK proposal, the government has fluctuated between ideas, leaving the door open for broader use. Mission creep occurs when a system designed for one purpose gradually extends into other areas—like linking digital IDs to benefit access, housing, or voting. Red flags include vague language like “may be used for other services” or “subject to future legislation.” Document every area where the ID could become a gatekeeper.

Step 2: Assess Infringements on Privacy Rights

Next, map the data flows: What personal information is collected? Who stores it? How long is it retained? The UK scheme stores name, date of birth, nationality, and a photo on the user’s device, but the backend infrastructure may create central databases. Under Article 8 of the European Convention on Human Rights, any state interference must be necessary and proportionate. Evaluate whether the system uses minimization (collecting only what’s needed) and anonymization techniques. Also check if individuals can opt out without penalty—if not, privacy rights are at risk.

Step 3: Analyze Serious Security Risks

Digital IDs create attractive targets for hackers. Conduct a threat model for the proposed system:

Device compromise: If a phone with the digital ID is stolen, how quickly can it be revoked?
Central database breach: Even biometric data can be stolen and reused.
Man-in-the-middle attacks: When verifying identity, could an attacker intercept the process?
Insider threats: Government employees with access could misuse data.

The UK consultation did not provide detailed security architecture—a major oversight. Demand independent security audits before deployment.

Step 4: Scrutinize Reliance on Inaccurate or Unproven Technologies

Many digital ID systems lean on facial recognition, liveness detection, or biometric matching. These technologies are known to have higher error rates for women, people of colour, and the elderly (see US and Australian studies). Break down the verification process: Is technology being over-promised? Are there fallback methods for those who cannot use it? The EFF submission highlights that even “proven” tech has failure cases. Demand independently validated error rates for every demographic group.

Step 5: Evaluate Discrimination and Exclusion

Mandatory digital IDs can disenfranchise vulnerable populations:

Homeless individuals without a fixed address or smartphone.
Elderly people uncomfortable with technology.
Low-income households that cannot afford devices or mobile data.
Disabled individuals who may rely on alternative authentication methods.
Non-binary or transgender people whose documents may not match their appearance.

Analyze the proposal for offline alternatives (e.g., physical ID cards) that do not create barriers. If the scheme is “mandatory in practice” because essential services require it, then exclusion becomes a human rights issue.

Step 6: Examine the Deepening of Entrenched Power Imbalances

Finally, step back and consider the political and social consequences. A national digital ID is not just a technical tool—it shifts power from individuals to the state. The state can decide who gets access to what, effectively opening or closing doors to healthcare, jobs, housing, and more. Even with oversight boards and sunset clauses, the imbalance remains. Ask: Does the proposal include meaningful consent? Can citizens use the system without being tracked or profiled? The EFF’s core argument is that no amount of safeguards can undo the fundamental asymmetry of a mandatory digital ID.

Conclusion and Tips

After working through these six steps, you’ll likely arrive at the same conclusion as the EFF: No one should be coerced—technically or socially—into a digital system to participate fully in public life. The UK government should listen to the 2.9 million people who signed the petition against digital ID and reject the proposal outright.

Tips for action:

Join civil society coalitions – strength in numbers. Use joint letters and consultations to amplify your voice.
Focus on the core problem – don’t get distracted by debating safeguards. Emphasize that the very concept of mandatory digital ID is flawed.
Use plain language – communicate risks to the public in relatable terms (e.g., “Your phone could be the key to everything—or the lock”).
Demand transparency – request full technical specifications, security audits, and independent impact assessments.
Advocate for voluntary, decentralized alternatives – such as self-sovereign identity systems that put control in users’ hands.
Stay vigilant – governments often relaunch similar proposals under new names. Track legislative movements and be ready to respond.

For the full EFF submission, read the original document here.

Tags: