There’s something Starmer isn’t telling us about his digital ID plans…
And it all centres around a little-known system called One Login.
Thread 🧵
And it all centres around a little-known system called One Login.
Thread 🧵
From the level of outcry yesterday, it’s safe to say that many are aware of Starmer’s scheme to impose mandatory digital ID, dubbed BritCard, on every working person in the UK—citizen and foreigner alike.
For context, BritCard was initially advanced by Labour Together, the think tank Morgan McSweeney ran before becoming Starmer’s chief of staff.
Now, Starmer claims BritCard will help tackle illegal migration, and to be fair, it might—a little. But this is coming from a man who promised to stop illegal immigration, and since then, we’ve only seen record highs.
What seems to have been entirely forgotten, however, is that the government already has a digital ID scheme in place.
And let’s just say… there have been a few issues.
And let’s just say… there have been a few issues.
In May, journalist Andrew Orlowski was contacted by a government whistleblower who revealed some of these issues involving something called One Login.
One Login is the digital identity service system created by the Government Digital Service (GDS) in 2021 that will help deliver BritCard.
It was designed to give citizens streamlined access to hundreds of government services and, through the GovUK Wallet, store key digital documents such as driving licences.
It currently processes the personal and biometric data of some three million citizens and has already chewed through over £300 million in public funds.
(In fact, the total cost of our digital ID escapade so far totals upwards of £700 million when you include the Conservative's digital ID programme, Verify, which was abandoned in 2023...
That's a lot of houses.)
That's a lot of houses.)
When the whistleblower, who worked as a senior civil servant, arrived on the One Login project to set up an information-assurance team in 2022, he encountered complete chaos.
The system was being accessed thousands of times a month by users holding unrestricted “do anything” system-administrator privileges.
(And yes, many did not have the security-clearance required to work with such sensitive data.)
(And yes, many did not have the security-clearance required to work with such sensitive data.)
So we're talking about hundreds of government employees having access to an unprecedented amount of very private information.
Tie this in with past incidences of data misuse and institutional political prejudice and we have a troubling picture.
Worse still, GDS did not require locked-down workstations for either its remote-working staff or the hundreds of external contractors involved in developing the system.
In other words, this made it ripe for cyber attack.
In other words, this made it ripe for cyber attack.
But it got worse yet...
The civil servant discovered that part of the One Login system was being developed in Romania—a country that researchers at Oxford University have identified as one of the world’s "cybercrime hotspots".
The civil servant discovered that part of the One Login system was being developed in Romania—a country that researchers at Oxford University have identified as one of the world’s "cybercrime hotspots".
Next come the conflicts.
Turns out, the same contractor responsible for developing One Login is the same one responsible for managing its risks.
Can a company objectively assess the risks of a system they themselves helped build?
Turns out, the same contractor responsible for developing One Login is the same one responsible for managing its risks.
Can a company objectively assess the risks of a system they themselves helped build?
In fact, according to the civil servant, no external provider has conducted a security and risk assessment at all.
This would immediately disqualify it for use in other sectors.
This would immediately disqualify it for use in other sectors.
To put the danger into perspective:
It would take only one user with certain privileges to create havoc—to install a back door into One Login that nobody would spot until it was too late.
It would take only one user with certain privileges to create havoc—to install a back door into One Login that nobody would spot until it was too late.
Want to guess what happened when all of this was raised with the GDS hierarchy?
Rather than investigate, senior figures quietly reassigned staff from the civil servant assurance team to menial duties. A formal HR complaint was then lodged against the whistleblower, and new officials were swiftly brought in to replace them.
As one digital-identity expert remarked to Orlowski on the scheme's potential dangers:
"Imagine if [what happened to M&S] happened to Companies House or the Land Registry"
"Imagine if [what happened to M&S] happened to Companies House or the Land Registry"
Put simply: the UK’s digital ID scheme has already been marred by alarming security lapses, not just technical failures, but institutional ones, fuelled by a civil service committed to concealment over correction.
Starmer's plan will likely amplifies this—on steroids.
Starmer's plan will likely amplifies this—on steroids.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
