Former MI6 Chief Warns of the Security Risks of the UK Government’s Proposed Digital Identity System

“When you aggregate data into one massive base, of course it immediately becomes a target for the country’s enemies.”

Richard Dearlove, the former head of MI6, has lambasted the Starmer government’s plans for a national digital identity system, warning it would “immediately become a target for the country’s enemies”. Dearlove, who led MI6 from 1999 to 2004, said emerging quantum technologies could undermine the security systems designed to protect the digital identification system.

“When you aggregate data into one massive base, of course it immediately becomes a target for the country’s enemies,” Dearlove told the right-wing broadcaster GB News. “You therefore must be sure that the citadel is impregnable. However secure you believe the system to be, quantum computing when it arrives could render redundant your defences.”

By “enemies” Dearlove appears to have one particular country in mind: China. According to official UK records, Chinese cyber spies already accessed the UK’s Electoral Commission’s Microsoft Exchange Server, potentially exposing the personal data of approximately 40 million UK citizens for over a year.

Dearlove’s name may be familiar even to non-UK-based readers. During his time as MI6 chief, he helped furnish then-Prime Minister Tony Blair with the flawed intelligence on Iraq war’s WMD capabilities that helped pave the way to the second Gulf War. He also had a hand in the Russiagate scandal, having advised Christopher Steele on the Trump dossier.

In short, Dearlove is a rather unsavoury character, even by senior spooks standards, and has played a part in some of the worst crimes of this still youngish century. At the same time, one would expect him to know a thing or two about systems security.

That didn’t stop him from apparently falling victim to a Russian hack in 2018. In 2022, the former spy chief went public with claims that personal emails of his had been hacked and published on a website called Very English Coop [sic] d’Etat.

According to The Daily Telegraph, the website claimed the emails were proof of a conspiracy between leading Brexiteers including Dearlove, Gisela Stuart, a former Labour MP, and the historian Robert Tombs to embed a pro-Brexit spy in the UK negotiating team led by Olly Robbins, the UK’s former Brexit negotiator.

“Worse Than… Horizon”

Asked by GB News whether the Starmer government should change course on digital identity, Dearlove responded: “Better not to create the target and the temptation in my view.”

Whether Dearlove has ulterior motives for undermining Starmer’s digital identity plans, such as protecting the interests of tech companies with interests in the sector, is unclear. But he is not the only high-profile figure to have warned about the security risks of the government’s proposed digital identity system. And those risks do seem very real.

Speaking in a Westminster Hall debate, Conservative MP David Davis said:

“What will happen when this system comes into effect is that the entire population’s entire data will be open to malevolent actors — foreign nations, ransomware criminals, malevolent hackers and even their own personal or political enemies.

“As a result, this will be worse than the Horizon [Post Office] scandal.”

Davis has a point. In fact, it is a point we made over six months ago, in our post, “Is the UK Creating a Giant Bonanza for Hackers and Nation-State Adversaries With Its “One Login Digital Governance System?” As we warned in that post, the UK has a horrid record when it comes to protecting citizens’ data and running IT operations in general:

[If] not properly secured, [digital identity systems] risk creating a perfect bonanza of lucrative data for hackers and nation-state adversaries — of which, let’s face it, the UK has plenty. They could also create key points of vulnerability within the UK government and civil service’s IT systems.

According to IBM’s X-Force Threat Intelligence Index report, published in 2023, the UK suffered the most cyber attacks of any country in Europe in 2022, accounting for a staggering 43% of all attacks. Meanwhile, the current state of the UK government’s One Login system, which will serve as the access system for the forthcoming digital ID wallet, is hardly reassuring.

Zero Trust

As Computer Weekly reported in April, One Login is still not compliant with cyber standards for critical services, has lost its certification against the government’s own digital identity system trust framework, and a recent simulated hack revealed that attackers could gain privileged access without detection.

If that isn’t enough to win one’s trust, it was also revealed in 2022 that parts of One Login were being developed on unsecured workstations by contractors without the required security clearance in Romania, a nation that ranks sixth on the World Cybercrime Index.

One Login is already up and running, however, and has 12 million sign-ups, roughly equivalent to one out of four English citizens. Once fully operational, it will underpin the forthcoming Gov.uk Wallet, which will be used to deliver digital versions of key government documents, such as driving licences, birth certificates and passports as well as private sector credentials.

Yet the system is not remotely secure, warns The Telegraph’s Andrew Orlowski, who has reported extensively on the flaws in the UK’s digital identity infrastructure.

DIGITAL ID: “You may be completely exposed to identity fraud” because of One Login – @AndrewOrlowski

The security flaws in One Login are deeply concerning.

Company directors, there is a way to avoid One Login – please see our toolkit for full details:https://t.co/5HHOMVF9Fu pic.twitter.com/5Qe9K3Gdgo

— Together (@Togetherdec) November 23, 2025

Criticism of Starmer’s digital identity plans, which are obviously not his own, is mounting, even in legacy media.

LBC (the London Broadcasting Company) published an interesting op-ed by Irra Ariella Khi, the CEO of Zamna, an aviation identity company, who advises governments and industry leaders on digital identity. She made a key point about the government’s constant citing of Estonia’s long-established digital governance system as a source of inspiration for its plans:

The UK Government often points to Estonia as the model for digital identity. But Estonia’s entire population (1.6 million) is roughly the size of Croydon. You can’t copy-paste a small national system like that and expect it to work for 67 million people. It’s like taking something designed to run at 100% in Estonia and expecting it to hold up at 4,000% capacity in the UK.

This is especially true when you consider that the UK’s IT infrastructure largely consists of a hotch-potch of poorly designed legacy systems as well as its disastrous track record with IT systems in general.

Even Estonia’s much smaller, better designed, longer established system has suffered its fair share of data breaches. In 2017, thousands of people were shut out from accessing online government services after the discovery of a security flaw. From the BBC:

In Indonesia, enterprising criminals have come up with malware that poses as the country’s digital identity app, reports Biometric Update:

Cybersecurity researchers have discovered a malware app designed to steal financial data, which disguises itself as Indonesia’s national digital identity platform, Identitas Kependudukan Digital (IKD).

The malware app, named Android/BankBot-YNRK, was found circulating online outside of the official Google Play app store, posing as an APK file of the digital ID platform. Once a user installs it, the app will start exploiting Android permissions to gain access to sensitive data, targeting banking and cryptocurrency apps.

According to an investigation from cybersecurity firm Cyfirma, the Trojan operates stealthily by leveraging its permissions to observe what appears on screens, simulate button presses and automatically complete forms as if acting on the user’s behalf. It also transmitted device details, location data and a list of installed applications back to the attackers.

“Overall, Android/BankBot-YNRK exhibits a comprehensive feature set aimed at maintaining long-term access, stealing financial data and executing fraudulent transactions on compromised Android devices,” says Cyfirma.

The Meaning of “Mandatory”

The UK government continues to insist that its digital identity system will be optional, despite all evidence to the contrary, including its own declarations. And it’s getting a helping hand in this deception from “fact-checking” websites. Full Fact explains that the government’s plans for digital ID do not require all UK citizens to hold one — only those who want to work there:

Digital ID would only be mandatory for those who are looking to work in the UK. It would therefore not be mandatory for everyone living in the UK. For example, someone who is retired wouldn’t need a digital ID.

But even that probably wouldn’t apply for long. Many governments with full-fledged digital identity systems, from Estonia to India, started off by assuring citizens that digital identity was totally optional — until it became necessary for just about everything. In India, access issues to the Aadhaar system have locked millions out of their legitimate benefits, even resulting in deaths.

In the UK, it is already mandatory (as of November 18) for business owners to register with Companies House via One Login — a fact that was not mentioned at all in the Full Fact article. That’s an additional six million people who will be corralled into the system — unless, of course, they refuse to or find work-arounds.

The ostensible reasons for this new requirement is to attract investment to the UK by bolstering transparency as well as provide greater protection against fraud. While business registration processes could do with being beefed up, forcing business owners to register on One Login risks exposing millions of people to much greater fraud risk, warns Info-Security magazine:

Michael Perez, director at managed service provider Ekco, warned that the One Login ID verification service used by the government is itself a security risk.

He claimed it has failed to meet all government Cyber Assessment Framework outcomes and has historically been plagued by issues including software vulnerabilities and insecure logins.

“Requesting millions of individuals to submit sensitive identity documents via a platform that hasn’t fully adopted secure-by-design principles introduces significant risk,” Perez argued.

“It concentrates vulnerability and could expose users to breaches at a time when public confidence in digital systems is already under pressure.”

These system and data security vulnerabilities are just two of many problems posed by digital identity. Oracle Film’s Phil Wiseman offers a solid overview of some of the other core issues:

I’m observing a big semantics problem in the Digital ID discussion. Hopefully this post can provide some clarity.

As I see it:

Digital IDENTIFICATION is the digitised equivalent of physical identification — anything which you currently use to identify yourself; such as a passport, driver’s license, bank card, utility bill etc.

This is what most people seem to think of when they think of ‘Digital ID’. It’s hard to see anything explicitly wrong with this idea. And that’s why I believe many are confused by the uproar and the massive pushback against ‘Digital ID’ initiatives.

Digital IDENTITY is the sum of those identifiers that exists in the form of data about you. It’s your digital footprint. Currently this largely exists in silos in fragmented public and private sector databases.

Again, nothing explicitly wrong with this idea, provided people understand the terms and conditions of the products they’re using and have provided fully informed consent for their data to be utilised for their respective, stated purposes. Though I’d wager most have not.

The inherent danger with Digital IDENTITY however, and the stated direction of travel, is the desire to introduce interoperability between these datasets on a global scale.

Such an environment is what’s formally referred to as DIGITAL PUBLIC INFRASTRUCTURE.

According to the principles of DPI, your digital footprint, also referred to as your ‘Digital Twin’ will be updated every single time you interact in society at any noteworthy level; be that using public services, filing taxes, making financial transactions, browsing the internet, posting on social media etc.

Any human action for which the exchange of data is required will facilitate the collection and profiling of said data – tethering it to your digital twin as a permanent record.

This is not speculation. This is what Digital Public Infrastructure is designed to enable.

This should pose some questions:

What happens when your digital identifier isn’t a physical app or a card but a biometric such as a fingerprint or facial recognition scan? What does opt-out look like at that point?

What happens when cash is eliminated, along with any analogue off-ramp from this closed digital environment?

What happens when such vast troves of data are inevitably surveilled by AI and enforcement mechanisms are introduced?

Carbon allowances, social credit scores, vaccine mandates… the potential for social control is quite literally endless. These enforcement mechanisms could be imposed centrally, automatically, at scale.

Add to that the fact that such systems are currently demonstrably insecure and offer a goldmine to would-be hackers. In summary, you are being coerced to onboard to a system loaded with immense personal risk, for which your consent is not required going forwards and if you refuse to participate, you will be penalised.

The one potential silver lining of the government’s mad rush to launch a digital identity system and compel mass adoption as quickly as possible, regardless of the system’s state of readiness, is Keir Starmer’s reverse Midas touch. If anyone can turn the entire country off the idea of digital identity, tarnishing it forever, it is Starmer, who managed to establish himself as Britain’s most unpopular prime minister on record in just over 12 months.

Net support for digital identity has already cratered from 35% in the early summer to -14% in early October, according to polling by More in Common. Just under 3 million people have so far signed a parliament petition calling on the government to immediately commit to not introducing a digital identity system, making it the fourth largest petition in British history.

The resulting digital debate will be taking place in the House of Commons on December 8. For interested UK-based readers, Big Brother Watch is offering a speedy tool for contacting your respective member of parliament to make your feelings known on the issue and urge him or her to attend the debate.

🚨 ACTION ALERT: Urge your MP to attend the digital ID petition debate on the 8th of December, using our speedy tool.

If thousands of us write to our MPs, they'll have no choice but to represent the public's opposition to digital ID at this debate⤵️https://t.co/RJCBPMzUiQ pic.twitter.com/Hl5CQXlGnN

— Big Brother Watch (@BigBrotherWatch) November 21, 2025

Granted, even if Starmer’s digital identity plan ends up becoming so toxic that Starmer, or his successor, has to abandon it, a revised plan with a different name will probably be proposed and actually deployed a couple of years later, just as happened recently in Switzerland.

As NC reader vao pointed out in a comment to a previous post, “whether it is with e-ID, CBDC, Internet censorship, increasing retirement age, or other topics, the powers that be interpret the loudest and most strident ‘NO!’ at best as ‘not now'”. And digital identity is one of the most important topics of all, given it is meant to serve as the foundation stone for the digital control grid that just about every country on the planet is frantically building.