Andrew Orlowski writes:
Britain is subject to myriad dangers, from terrorist outrages to the threat of a nuclear conflict sparked by one or more of the world's autocratic superpowers.
But little attention is given to the danger presented by a threat taking shape much closer to home: ID cards.
If the Labour Government goes ahead with its planned digital identity scheme, collecting everybody's vital statistics under a single, computerised umbrella, Britain will be vulnerable to a hacker attack of unparalleled proportions. It will be feasible for an enemy – whether a foreign state, such as Russia or China, or an organised crime group – to hold the entire country to ransom.
Imagine a situation in which all state benefits – including pensions – were frozen, passports were rendered unusable and many crucial business functions were shut down. With all these services incapable of being restored until Downing Street met all the hackers' demands, the UK could literally be held hostage for billions of pounds.
Labour's blind obsession with a digital ID system, which dates back to the Blair administration, has the potential to make us vulnerable to the sort of attack that shut down Marks and Spencer's online operations for several weeks earlier this year.
I make my living writing about the impact of technology on modern life and, from evidence provided to me by a whistleblower, I have learned that hacking the British ID cards scheme would be child's play compared to taking down Marks & Sparks. This is because the government's long-standing dream of introducing a compulsory digital ID is underpinned by an existing computer system called One Login, a vast database designed to act as a single point of contact for access to up to 180 services, from tax and pensions to GP appointments and bank accounts.
In January, a senior civil servant responsible for assessing cyber security threats – whose team was sidelined after raising concerns about the project's vulnerability – provided me with a mountain of evidence that it cannot be trusted.
Their fears were borne out in dramatic fashion shortly afterwards when a so-called 'Red Team' exercise, which involved friendly specialists mimicking what attackers would do, showed hackers could gain control of the system without being detected. It proved that, once in control of the scheme, hackers could not only produce fake IDs, but create so much mayhem that the country would be brought to its knees.
To press ahead with the ID scheme now, without a complete audit of just how secure it is, would be nothing short of national suicide. The Government Digital Service team (GDS) knows this and warned as much in a revised business proposal for One Login it – rather belatedly – submitted to the Cabinet Office. It stated that security vulnerabilities could be exploited by 'fraudsters to steal user information or by hostile actors seeking to disrupt national infrastructure'.
It added: 'This could have severe consequences for a large number of people, and result in persistent reputational and political damage.' GDS has not released this document to the public or to parliament but I have a copy.
David Davis, an MP who has long taken an interest in privacy issues, points to the government's lamentable record when it comes to keeping our personal data safe.
'The state has lost over 20 million citizens' records in the past,' he says. 'And that was when those records were on much more secure physical media. Today, it may be the work of milliseconds for cybercriminals or foreign states to steal all our data. If that were to happen, it would be an irreversible disaster for the ordinary people to whom it happens.'
Yet the plans are so advanced and so complex that no one in Whitehall seems able to see the looming danger. Worse, Keir Starmer has an ideological commitment to introducing ID cards, because he is only the latest in a long line of Labour leaders with an obsession with centralised planning who is keen to assert government control over the identity documents of all its citizens.
One of his predecessors, Tony Blair, is not only one of the loudest and most insistent supporters of the scheme but someone who has a huge vested interest in its success. Larry Ellison, co-founder of Oracle, the tech giant that provides much of the software that powers One Login, is one of the biggest donors to the Tony Blair Institute For Global Change.
Under Blair and his chancellor, Gordon Brown, attempts to introduce a national ID card cost the taxpayer billions, before being abandoned in 2010. Blair never gave up on the dream: it just morphed from a physical entity to a digital concept. During the Covid pandemic, Blair's Institute called for mandatory digital IDs, in various different guises, no fewer than three times.
The architect of these initiatives was Kirsty Innes, the Institute's 'director of digital government' during the pandemic, with one proposal involving a 'vaccine passport'. Last year, Innes left Blair's organisation to join Starmer's favourite think tank, Labour Together, which was run by his chief of staff, Morgan McSweeney, for almost three years.
From there, she is leading the latest drive for 'a mandatory national digital identity', a move that has already attracted backing from 100 Labour MPs. While she no longer works for Blair, he continues to have his tentacles in every aspect of the scheme.
But the security of the material the PM wants us all to carry on our smartphones is built on very shaky foundations. After Blair's plans for plastic cards were abandoned in 2010, the government spent £400million developing a digital ID system called Verify that nobody wanted to use. In 2021, Michael Gove – as chancellor of the Duchy of Lancaster – formally scrapped it and asked GDS to build a replacement.
The new scheme, officially called One Login, is known internally as simply 'digital identity'. Around four million people already use it to access a variety of government websites – for example, to register a business, or to apply to be a teacher or social worker. One Login is a Whitehall IT juggernaut, employing over 700 people, including more than 300 contractors, many of whom were engaged without the necessary security clearance to process sensitive personal data.
Extraordinarily, a number of the software engineers engaged by Deloitte, one of the government's leading consultants on the project, were based in Romania. The decision to outsource the work to this eastern European country defies all rational understanding. Its capital Bucharest is nicknamed 'Hackerville' and is 'the cyber-crime capital of the world', according to the Organised Crime and Corruption Reporting Project. Meanwhile, the World Cybercrime Index, which polls 92 cybersecurity experts, ranks Romania as even worse than North Korea.
Security standards among One Login developers, both in Romania and here in the UK, have been lax in the extreme. Engineers were allowed to use their laptops for casual personal tasks, such as looking at TikTok videos, alongside their work. The potential for hackers to exploit such a careless attitude is effectively limitless.
Yet One Login is going to be the basis of Labour's version of the Apple Wallet – an iPhone feature that lets users collect all their payment cards, tickets and other financial data in one place. The current and not very catchy name for the government version will be Gov.UK Wallet. And the most important item in your Gov.UK Wallet will be your ID card, to be called the BritCard.
Peter Kyle, who was secretary of state for science, innovation and technology until a Cabinet reshuffle earlier this month, could hardly contain his enthusiasm when he showed off a mock-up of the Wallet app in January at the Whitechapel office block where the GDS is based.
His naivety is breathtaking. Even if we set aside the obvious threat to national security, Labour ministers are flatly ignoring the potential for individual identity fraud.
To have every aspect of your life, excluding health data, linked to a single app is 'a licence for scammers to impersonate you,' warns Guy Herbert of the campaign group No2ID. 'Once they've grabbed your phone, they've got everything.'
He's not alone in having serious reservations about the scheme. Security expert and digital identity consultant Mark King, formerly of the National Cyber Security Centre, part of GCHQ in Cheltenham, says: 'It's putting all your eggs in one basket. One Login is a particularly egregious version of what's known as a single point of failure.'
Identity fraud already costs the UK £1.8billion a year, accounting for almost two thirds of the cases filed on the National Fraud Database. And private individuals are by no means the hackers' only victims. The Civil Service has already proved an easy target.
Last June, HM Revenue and Customs admitted that gangs had obtained the records of 100,000 taxpayers, defrauding us of £47million in PAYE rebates.
The sheer scale of the security risks attached to digital ID projects has already prompted a rethink across the Atlantic. US President Donald Trump has begun to dismantle a range of ID projects launched by his predecessor, Joe Biden. A digital ID system, wrote Trump in an Executive Order, 'systematically defrauds public benefits programmes, costs taxpayers and wastes Federal Government funds.'
But just as America is securing its citizens by abolishing its digital ID plans, the UK is rushing headlong in the opposite direction – towards disaster.
The fight of our lives.
ReplyDeleteYes. Again.
Delete