Digital ID cards could be a disaster in the UK and beyond

The first ID card I ever had was the flimsy piece of laminated paper that made up my driver’s license. In the US, a driver’s license includes a photo, biometric information (eye colour, height, etc.) and birthdate. This led to usage creep: people used the cards as much more than a mere license to drive. Bars and liquor stores would “card” kids trying to get a drink, taking the information on it as proof that we were the proper legal drinking age of 21. Needless to say, I was 18 when I figured out how to doctor the birthdate on my card with a pencil so I could buy cheap cocktails.

This story sounds like a wee fairy tale from the 20th century, but it is deeply relevant to current debates over whether to implement digital ID cards in the UK and beyond. Sure, the cards themselves may be dramatically different, but the problems are the same. First, ID cards are always prone to usage creep. And second, they are incredibly easy to hack.

The British government is hardly the first to suggest that its citizens all carry a little ID app on their phones to access government or other public services. Digital IDs are currently required by the Chinese government, as well as those of Singapore, India, Estonia and many more. Proponents of digital IDs generally give similar reasons for using them: to cut down on fraud, to make it easier to buy things or travel and to prove who you are without carrying a bunch of physical cards or papers.

“It will be safer for you with this digital ID,” a government might say. “You can use it to make purchases or get healthcare, and as a fun bonus, nobody will ever mistake you for an immigrant and throw you in a detainment centre without proper food, sanitation or medication for weeks.” Oops, sorry – that got oddly specific for no particular reason. But you get what I’m saying. These cards are proffered as fixes for problems that aren’t problems (it’s not hard to carry my health insurance card) or require a lot more than an ID to solve (immigration is a huge, multifaceted issue).

But back to my point about usage creep. What happens when a government implements a digital ID on your phone that is supposed to be for verifying your citizenship status when you apply for a job or social services? At a basic level, it snuggles up to all your other apps, possibly sharing data with them. Some of these apps have access to sensitive information, like bank accounts, doctor’s appointments, personal conversations and photos.

As journalist Byron Tau chronicles in his excellent book Means of Control, many apps are already gathering information about you that you don’t realise, such as your location, spending habits and even what other apps are on your phone. There are companies that specialise in extracting this data from, say, your dating apps and selling it to third parties, including government agencies.

In the US, this is largely legal, which is super creepy. In the UK and Europe, there are regulations that prevent some of this rampant data-sharing. Still, the tech is there. The only thing protecting you from a government ID app that tracks your location by tapping into an unrelated app is the government itself. And governments change. Regulations change. Yet, once you start using that digital ID to get jobs, get into bars, pay for chips and ride the tube, it is unlikely you’ll chuck it.

This is the usage creep trap. A government might start using its digital ID in much more invasive ways than originally promised. Meanwhile, citizens might start using it for so many things that they decide the trade-off is worth it. Who cares if the government knows where you are every second of the day if it is easy to buy gum without a credit card? That’s great until the government decides you are a bad guy.

And I haven’t got to the hacking part yet. Even if a government doesn’t start using its digital ID to spy on you, a malicious adversary might. Someone could find a backdoor into government servers and gain access to your ID that way, or they might get your information through a phone app laced with spyware. This is why security experts have been warning the British government about the dangers of digital IDs. Even Palantir, the infamous US surveillance firm, has backed away from supporting digital IDs because, as one of its executives recently put it, they are “very controversial“.

You shouldn’t be worried about this stuff because someone might steal your identity. You should be worried in case they can track your location, read your texts, break into your bank account and listen to your phone calls. The fact is, there is nothing wrong with old-fashioned ID cards. Yes, they can be lost or tampered with. But at least when that happens, all you lose is the card. You don’t lose everything else with it.

Annalee’s week

What I’m listening to

Our Ancestors Were Messy, a podcast about Black celebrity scandals from a century ago, torn from the pages of Black newspapers.

What I’m reading

A Philosophy of Thieves by Fran Wilde, a futuristic caper where rich people hire thieves as entertainment at their parties.

What I’m working on

Researching the history of “review bombing”, where a piece of media or product receives a barrage of one-star reviews from users with a political agenda.