It will not stop criminal activity. It hands your identity to US-controlled infrastructure subject to US law. It will harm the vulnerable. And the child protection argument doesn't hold up to scrutiny.

Part 1 traced who built the internet, who profited from it, and why declining platforms see Digital ID as corporate immortality. Part 2 examined the human cost of losing anonymous access — from LGBTQ+ teenagers in rural areas to abuse survivors researching their options. This part makes the technical and legal case: why Digital ID is itself the primary safety risk, and why what is being built is not what it claims to be.

We are living through a sustained period of escalating, sophisticated cyber attacks. In 2024, a ransomware attack on Synnovis — an NHS blood testing partnership — forced hospitals in London to cancel thousands of appointments and resulted in the exposure of patient data affecting hundreds of thousands of people.[1] In 2023, the Electoral Commission disclosed it had been subject to a hostile attack giving access to the electoral registers of approximately 40 million people — access that had gone undetected for over a year.[2] The Ministry of Defence, multiple NHS Trusts, and HMRC have all experienced significant data incidents in recent years.

The UK government does not have a good record of keeping data safe.

Against this backdrop, the proposal is to build centralised infrastructure linking every citizen's verified identity to their digital life.

Think carefully about what that actually is. A system that tells you who every person in the country is — what they read, what they search for, what political views they express, what health conditions they research, what communities they belong to, what they are afraid of.

One breach — and there will be a breach, because there is always a breach — and that information is in the hands of whoever got there first. Criminal gangs. Hostile state actors. Private intelligence firms with commercial motivations. Former employees. Future governments with different values from the current one.

The people proposing this are telling you it will make you safer. They are proposing to make you catastrophically, irreversibly vulnerable — and calling it safety.

Labour's own MPs recognised this. Rebecca Long-Bailey said in the December 2025 parliamentary debate that the real fear was that "we will be building an infrastructure that can follow us, link our most sensitive information and expand state control over all our lives." She added that this policy "does not arrive in a vacuum — it sits alongside a worrying pattern: the accelerated roll-out of facial recognition, attempts to weaken end-to-end encryption, and data laws that strip away privacy protections."[3]

"We will be building an infrastructure that can follow us, link our most sensitive information and expand state control over all our lives."

Rebecca Long-Bailey MP, House of Commons Digital ID Debate, December 2025

The Sovereignty Illusion — It's Not a British System

There is a dimension to this debate that has received almost no attention in mainstream coverage, and it is the one that should concern engineers, security professionals, and anyone who cares about what digital sovereignty actually means in practice.

The Government Digital Service — the body building GOV.UK One Login, the authentication layer on which Digital ID would be built — mandates Amazon Web Services as its core infrastructure provider. This is not contested. It is published GDS policy.[4] AWS signed contracts worth £894 million with three central government departments in a single day in December 2023 — £450 million with the Home Office, £350 million with HMRC, and £94 million with the Department for Work and Pensions.[5] Across the UK public sector, 95% of central and local public sector organisations spent budget on hyperscale cloud services in 2023/24 — when software services running on hyperscale cloud are included, that figure rises to 99%, covering more than 1,100 public sector bodies including government departments, councils, police forces and NHS organisations.

Amazon Web Services is an American company. It is subject to US law. Specifically, it is subject to the CLOUD Act — the Clarifying Lawful Overseas Use of Data Act, passed by the US Congress in 2018. The CLOUD Act grants US law enforcement extraterritorial authority to compel US companies to produce data stored anywhere globally, and makes geographic data residency in UK regions legally irrelevant when American corporate jurisdiction enables compelled disclosure.[6]

The critical point is this: it does not matter that the servers are in London. What matters is who controls the company that runs them. UK law enforcement cannot order a UK company to hand over data held by AWS. But US law enforcement can — because AWS is an American corporation, and the CLOUD Act follows the corporation, not the geography.

A UK-US CLOUD Act agreement came into force in October 2022, creating a government-to-government mechanism for data requests. This cuts both ways: it gives US authorities a legal channel to UK-held data, and UK authorities a channel to US-held data.[7] The agreement contains procedural safeguards. But the structural reality is unchanged: the identity records of every person in the country would sit on infrastructure owned by a US corporation, subject to US jurisdiction.

As one analysis puts it: "UK organisations selecting US providers create the jurisdictional conflicts that enable foreign government access."[8] The problem is architectural, not contractual. No terms and conditions fix it.

The device layer compounds this further. The GOV.UK Wallet — the mechanism by which digital ID would be held — lives on phones running iOS (Apple, US company, US jurisdiction) or Android (Google, US company, US jurisdiction). The UK has already used the US-UK CLOUD Act agreement to attempt to compel Apple to disable end-to-end encryption on iPhone backups globally — a demand Apple resisted and which has been reported by Lawfare as an extraordinary overreach.[9] The device manufacturers who would hold your identity credential are the same companies whose encryption the UK government is actively trying to undermine.

The government's own consultation document cites Estonia as the model for what Digital ID could achieve.[10] Work and Pensions Secretary Pat McFadden identified the Estonian identity card explicitly as the inspiration for the scheme in Parliament. This comparison is either dishonest or reveals a fundamental misunderstanding of why Estonia's system works.

What makes Estonia different is its philosophy. Data is decentralised across secure databases, connected by a backbone called X-Road. Every access is logged, so citizens can see who looked at their data and why. Estonian engineers designed X-Road at its inception to ensure data sovereignty while enabling seamless interoperability — a standardised, reusable infrastructure operating securely over the public internet, with the sovereignty built into the architecture from the ground up.[11]

X-Road is open-source software, developed and controlled by the Nordic Institute for Interoperability Solutions — a consortium of Estonia, Finland, and Iceland. It runs on infrastructure owned and operated by the Estonian state. It is not hosted on AWS. It is not subject to the CLOUD Act. It is not dependent on Apple or Google to deliver the wallet. The entire value of the Estonian system is that Estonia controls it. A British system built on US hyperscaler infrastructure and delivered via US-controlled devices is not Estonia. It is the aesthetic of Estonia layered on top of the sovereignty problem it was specifically designed to solve.

The Liberal Democrat spokesperson for science and technology, Tim Clement-Jones, put it plainly when discussing the UK's hyperscaler dependency: "If you see that kind of risk, where a hyperscaler like Microsoft can be pressured to withdraw a service, you have to look at the fact that we are so heavily embedded — we've got Microsoft, AWS and Google all over government. Where are the alternative UK suppliers?"[12]

The question answers itself. There are none. Because the government's cloud-first policy has spent a decade ensuring there would be none. Digital ID, built on this infrastructure, does not create a sovereign identity system. It creates a US-controlled identity system with British branding — and it creates it at precisely the moment when the reliability of US institutional alignment with UK interests is less certain than it has been at any point since the Second World War.

It Won't Work. And It Will Cause Harm.

The practical argument against Digital ID is straightforward and devastating.

Criminal activity online — exploitation of children, trafficking, radicalisation, serious organised crime — does not primarily occur on the open, indexed, regulated web that Digital ID would affect. It occurs on the dark web, in encrypted channels, in private networks specifically engineered to resist identification. Tor, I2P, and the range of tools used by serious criminal actors are not affected by whether a mainstream browser requires identity verification — these tools were engineered specifically to resist exactly this kind of architecture.[24] The people conducting serious criminal operations will route around age verification in minutes. They already have. It is where they live.

What Digital ID will do is impose a surveillance layer on the law-abiding majority that provides negligible safety benefit and measurable, serious harm to the most vulnerable people the system claims to protect.

The person researching addiction will not seek help if their real identity is attached to the search. The young person questioning their sexuality in an unsupportive household will not look for community if their browsing is attributable. The abuse victim researching their options will not reach out if they cannot do so privately. The person in the early stages of leaving a controlling relationship will not look for resources if every search is traceable. The person with a stigmatised mental health condition will not seek information if doing so creates a permanent record.

The internet gave vulnerable people a private route to information and connection that had never previously existed in human history. Digital ID closes that route — and closes it in the name of people who have demonstrably failed to use the mechanisms that were already available to them.

We do not need to speculate about what happens when governments mandate the collection of identity data at scale. It happened last year. The UK government mandated it. The data was collected. And then it was stolen.

Discord, October 2025: the Online Safety Act creates the data. Criminals take it.

In October 2025, Discord disclosed that hackers had breached a third-party provider used to process age verification appeals — a mechanism created specifically to comply with the UK's Online Safety Act. At least 70,000 government-issued ID photos — passports and driver's licences — were exposed, along with names, email addresses, IP addresses, support transcripts, and billing metadata.[13] The hackers demanded $5 million. Discord refused to pay. The breach lasted 58 hours — the result of a single compromised support agent account, not a sophisticated nation-state attack.

Notice what Discord actually is: a platform used primarily by gamers and online communities. Not a pornography site. The Online Safety Act's age verification requirements were sold to the public as protecting children from adult content. They have already migrated to a gaming platform before Digital ID has even launched. Proton — the Swiss privacy company founded by CERN scientists, with no commercial interest in this outcome — described it plainly: this breach shows "how far the mission creep of age verification laws, whose stated purpose is to protect kids from pornography, has already spread."[14]

The causal chain is not complicated. The Online Safety Act required Discord to collect verification data. The data was handed to a third-party vendor. That vendor was compromised. The IDs were stolen. The law created the data. The data created the target. The target was hit. And the hackers who hit Discord were ransomware criminals. Digital ID will attract nation-states.

Discord then moved to a second age verification vendor — Persona, a $2 billion startup partially funded by Peter Thiel's Founders Fund. Security researchers examining Persona's code found it exposed on a US government-authorised server — 2,456 publicly accessible files revealing what age verification actually does once it has your face. The system performed 269 distinct verification checks: cross-referencing selfies against watchlists of politically exposed persons, screening for adverse media across 14 categories including terrorism and espionage, generating risk scores, capturing browser fingerprints and device fingerprints — and retaining all of it for up to three years. It even performed "similar background detection" matching users' selfie backgrounds against other users in the database. If you verified at home, the system noted your background and linked you to every other account verified in the same location.[15]

This was the system checking whether a teenager should be allowed to use voice chat on a gaming platform.

The pattern repeats everywhere this policy has been tried. In 2024, Australia greenlit an age verification pilot for bars. Hours later — the same day — the mandated verification database was breached.[16] The engineer who helped expose Persona's surveillance stack observed: "Normies won't be able to bypass these — while less benevolent people will always find ways to exploit your system." The IEEE — the world's largest professional engineering body, not a civil liberties organisation — is now publishing that age verification systems "fail in predictable ways" and undermine the very protection of children they claim to provide.[17]

Mike Masnick at Techdirt named the structural engine driving all of this: the verification companies lobby for stricter mandates because every new mandate is a guaranteed revenue stream. "Child safety has simply become the marketing department for a rent-seeking surveillance industry."[18] Discord kept rotating vendors — each promising their system would not leak — right up until it did. The problem was never the vendor. The problem is the mandate that requires the data to exist.

Proton's conclusion is the only intellectually honest one available: even those who take child safety seriously, even those who acknowledge the harms of unregulated online access, must accept that age verification systems cannot be deployed until "genuinely secure, decentralised, open standard solutions that genuinely respect your privacy are developed and made widely available."[14] The Estonia model in the sovereignty section above is exactly what that looks like. What the UK government is building is not that.

The Child Protection Argument, Examined

And now the argument that is designed to end all argument.

Digital ID. Age verification. Online safety. The children.

The deployment of child protection as the justification for Digital ID deserves to be examined with the same rigour we apply to any other claim. When we do, the gap between the stated justification and the verifiable record of those advancing it is large enough to be structurally significant.

The existing legal framework for addressing child exploitation online is not inadequate. The National Crime Agency's CEOP Command operates within existing law and has achieved real results.[19] The tools exist. What they require is political will and adequate resourcing — both of which have been provided more reliably to bodies pursuing copyright infringement than to those pursuing serious exploitation.

Keir Starmer was Director of Public Prosecutions when the Crown Prosecution Service reviewed the Jimmy Savile file in 2009 and concluded there was insufficient evidence to prosecute.[20] Savile was by then already known to some in the establishment as a serious predator. The Independent Inquiry into Child Sexual Abuse subsequently found he had abused victims across thirteen NHS hospitals over decades.[21] The failure was institutional. Starmer led the institution.

The figures who appear in proximity to child protection policy — whose networks intersect with the circles that shape online safety legislation — do not uniformly have records that invite deference to their instincts on this subject. The partial release of documents relating to Jeffrey Epstein's network is revealing not because of what it confirms but because of what it tells us about the distance between the public positioning of the powerful and their private conduct.[22]

What the record actually shows is this: our laws, when applied with genuine intent, work. The Digital Economy Act 2010 was enforced with more consistent energy against teenagers downloading music than against the abuse of children by those with access to institutional protection.[23] That disproportion is not accidental. It is the system revealing its actual priorities.

Digital ID will not protect children from those who abuse them with institutional impunity. It will prevent vulnerable young people from anonymously seeking help — which is precisely what Part 2 of this series documented. It makes the internet less safe for the people it claims to protect.

The child protection argument for Digital ID is a political instrument. It is deployed to make opposition toxic and silence dissent. It deserves to be named as such — and then set aside so the actual argument, about surveillance, about corporate immortality, about who controls access to the information commons that was given to all of us, can be examined on its merits.

Next: Part 4 — The Street. We are turning the tide. 2.9 million signatures. A Labour government on its 13th U-turn. Rallies in London, Edinburgh, Cardiff and Belfast on 25th April. Here is where we stand and what you can do.

References and Sources

  1. NHS England (2024). Statement on Synnovis ransomware attack, June 2024. england.nhs.uk
  2. Electoral Commission (2023). Statement on cyber attack. electoralcommission.org.uk — attack gave access to registers of approximately 40 million people; undetected for over a year.
  3. Hansard (2025). Digital ID. House of Commons Debate, 8 December 2025. hansard.parliament.uk/commons/2025-12-08/debates/9E01F17C-557A-4D02-8A93-B573721B8B20/DigitalID
  4. Government Digital Service (2024). Working with AWS Accounts — The GDS Way. gds-way.digital.cabinet-office.gov.uk — "Teams in GDS should use Amazon Web Services (AWS) as their core infrastructure provider."
  5. Computer Weekly (2024). AWS secures £894m in cloud spend across three contracts with UK government on same day. computerweekly.com — contracts with Home Office (£450m), HMRC (£350m), and DWP (£94m), all live from 1 December 2023.
  6. Kiteworks (2025). CLOUD Act: Resolve UK GDPR Conflicts with Data Sovereignty. kiteworks.com — "The CLOUD Act grants US law enforcement extraterritorial authority to compel US companies to produce data stored anywhere globally, overriding local laws and making geographic data residency in UK regions legally irrelevant when American corporate jurisdiction enables compelled disclosure."
  7. CSIS (2024). Untapping the Full Potential of CLOUD Act Agreements. csis.org — the UK-US agreement on Access to Electronic Data for the Purpose of Countering Serious Crime came into force 3 October 2022.
  8. Kiteworks (2025). Op. cit. — "UK organisations selecting US providers create the jurisdictional conflicts that enable foreign government access."
  9. Lawfare (2025). First Insights Into the U.S.-U.K. CLOUD Act Agreement. lawfaremedia.org — "the UK has sought to compel Apple to disable certain end-to-end encryption protection on all iPhone backups globally."
  10. GOV.UK (2026). Making Public Services Work for You with Your Digital Identity — Government Consultation. gov.uk — the document explicitly cites Estonia as a model for the proposed scheme.
  11. Nortal (2025). Why Digital Sovereignty Matters and How X-Road Makes It Happen. nortal.com — "At its inception in 2001, Estonian engineers designed X-Road to enable secure, cost-efficient data exchange within the government while minimizing system integration complexity... This approach ensured data sovereignty while enabling seamless interoperability."
  12. Computer Weekly (2025). The Rise of the Splinternet? Data Sovereignty Risks and Responses. computerweekly.com — quoting Liberal Democrat spokesperson Tim Clement-Jones on UK hyperscaler dependency.
  13. Discord (2025). Update on a Security Incident Involving Third-Party Customer Service. discord.com — confirmed approximately 70,000 users had government-ID photos exposed; data also included names, usernames, email addresses, IP addresses, and message transcripts. Breach lasted 58 hours from a compromised support agent account. October 2025.
  14. Proton (2025). Discord ID data breach: Why the world isn't ready for age verification laws. proton.me/blog/discord-age-verfication-breach — "Age verification laws should not be implemented before genuinely secure, decentralised, open standard solutions that genuinely respect your privacy are developed and made widely available." October 2025.
  15. Fortune (2026). Discord distances itself from Peter Thiel–backed verification software after its code was found on a U.S. government server. fortune.com — Persona found to perform 269 distinct verification checks, retain data for up to three years, conduct selfie background matching across users, and screen against watchlists of politically exposed persons. February 2026. See also: The Rage / vmfunc.re/blog/persona
  16. Techdirt (2024). Hours After Aussie Govt Greenlights Online Age Verification Pilot, Mandated Verification Database for Bars Is Breached. techdirt.com — cited in Masnick, M. (2026), Hackers Expose The Massive Surveillance Stack Hiding Inside Your "Age Verification" Check. techdirt.com, 25 February 2026.
  17. IEEE Spectrum Magazine (2025–2026). Age Verification — cited in Techdirt (2026), op. cit. — "These systems fail in predictable ways. False positives are common... The appeal process itself creates new privacy risks. Scale that experience across millions of users, and you bake the privacy risk into how platforms work."
  18. Masnick, M. (2026). Hackers Expose The Massive Surveillance Stack Hiding Inside Your "Age Verification" Check. Techdirt, 25 February 2026. techdirt.com — "Child safety has simply become the marketing department for a rent-seeking surveillance industry." Researchers' quote: "The internet was supposed to be the great equalizer. Information wants to be free, the network interprets censorship as damage and routes around it, all that beautiful optimism. And for a minute it was true."
  19. National Crime Agency (2024). CEOP Command Annual Review. nationalcrimeagency.gov.uk
  20. Crown Prosecution Service (2013). Statement on Jimmy Savile file. cps.gov.uk — the 2009 CPS decision not to prosecute was reviewed and its reasoning published.
  21. Independent Inquiry into Child Sexual Abuse (2021). The Report of the Independent Inquiry into Child Sexual Abuse. iicsa.org.uk
  22. Miami Herald (2019–2023). Epstein court documents, partially unsealed. miamiherald.com
  23. Digital Economy Act 2010. legislation.gov.uk — sections 3–18 covering graduated response to copyright infringement, widely noted as disproportionately targeting individual downloaders.
  24. Tor Project (2024). About Tor. torproject.org — originally developed by the US Naval Research Laboratory; the primary tool for anonymous internet access outside of surveillance architectures.