New Brit Card Creates ‘National Honeypot’ for Hackers and Identity Theft Risks, Tech Expert Warns
In light of Keir Starmer’s announcement on the upcoming ‘Brit card’, reportedly inspired by the Estonian model, a tech expert argues hints of vulnerabilities are already detectable, like creating a national honeypot for hackers by holding the information on an alleged central database.
Marc Porcar, CEO of QR Code Generator, welcomed the idea of identity cards in general as seen in many European countries, but warned that the scheme must be built ‘privacy-by-default, security-by-design’, learning from Estonia’s experience and the EU’s latest rules.
A central database creates a national honeypot for hackers
The proposal, as reported in the media on Thursday evening ahead of the official Friday announcement, would require checks against a central database via a smartphone app before employment or rental agreements proceed. That means one big system lots of services depend on, so if it breaks, many everyday tasks could stall.
“Digital ID can cut paperwork and help stop exploitation,” says Porcar. “But if you build a digital ID around a singular, delicate hub or collect more data than you need, you create a national honeypot. That is both a security risk and a trust killer. The UK should copy the best parts of Europe’s wallet approach and ban any tracking of where people use their ID. The app should only answer the specific question asked, like ‘right to work: yes/no’ and nothing more.
“A key lesson comes from Estonia, often cited as the model for digital government. In 2017, a flaw known as ROCA – a weakness in how some chips generate encryption keys – forced Estonia to suspend or replace hundreds of thousands of ID-card certificates at speed. A weakness in the ‘digital locks’ meant many keys had to be changed at once, like urgently recalling locks on most front doors in the country. The UK must assume such events will happen and rehearse rapid, mass key rotation ahead of time.
“The system simply working every day is just as important as cryptography. In November 2023, Estonia experienced a mobile-ID/ID-card service interruption that temporarily disrupted logins and digital signing, affecting banking and public services. People could not log in to their bank apps or sign documents for a few hours. A UK rollout must avoid single points of failure and support offline checks so hiring or tenancies do not grind to a halt if a central service is down.
“Criminals also target the mobile number itself through SIM-swap attacks, convincing a network to transfer your number to their SIM so they receive your security codes. In the UK, SIM-swap incidents surged by 1,055%, according to Cifas, and Ofcom has been forced to tighten telecom security by banning leased global titles used to intercept texts. If codes arrive by text, a fraudster who hijacks your number can reset your accounts. The solution is to avoid text verification for high-risk actions and use phishing-resistant methods like device-bound passkeys that will not work on fake websites.”
Will a UK digital ID track your location?
“Neither Estonia’s e-ID tools nor the EU’s EUDI Wallet are designed to track where you use them,” Porcar explains. “The EU regulation explicitly requires ‘unobservability’, which means wallet providers must not collect information about your transactions beyond what is strictly needed. In practice, scanning your proof at an employer should not ping a central system with your whereabouts. Estonia’s public ‘Data Tracker’ gives people a log of who accessed their data and when, improving transparency, not a GPS trail of their movements. The UK should copy both ideas: prohibit location collection and give citizens a clear audit view.”
Brit Card goes beyond immigration and work rights
“The architecture should use privacy-preserving digital credentials, such as small, signed digital cards in a secure wallet on your device, rather than constant lookups to a central database,” Porcar notes. “Think of it like showing a tamper-proof stamp that says ‘right to work: yes’ without exposing any other details. This reduces outages and stops data from piling up in one honeypot.
“The digital ID mock-ups the government has shared so far suggest that one’s driving licence and home addresses will most likely be incorporated. This means the Brit card is not just for immigration and work rights purposes, opening users up to identity theft risks. During the initial onboarding phase and eventual recovery step if you lose your phone, the system should follow ENISA’s high-assurance guidance. Opening an account should be as rigorous as getting a passport, and getting back in after losing access should be at least as strong, without any ‘text me a code’ shortcut that criminals can hijack.
“This also means other services that rely on two-factor authentication via text or email, both of which would be available on one’s lost phone, would need to ramp up security checks.
“For authentication, the UK should follow NCSC advice and prefer phishing-resistant methods like device-bound passkeys or qualified electronic signatures. In other words, even if you click a fake link, your phone’s cryptographic check will not talk to the attacker’s site, so your login cannot be stolen. The government should reserve SMS codes for low-risk scenarios only.
“Governance matters too. Providers and checkers should be certified under the UK Digital Identity and Attributes Trust Framework (DIATF), with Data Protection Impact Assessments (DPIAs) for each new use to prevent ‘mission creep’. That is when the system starts getting used for other, unintended purposes without consent or legal frameworks.
“Europe’s rules already show the way: no tracking of wallet use and strict data minimisation. Estonia’s ROCA episode proved that crypto breaks happen, even in world-class systems, so we must rehearse crypto-agility and mass key rotation. And with UK SIM-swap fraud rising, text must not be a backbone for onboarding or recovery. The government must build the Brit Card as verifiable credentials in a secure wallet, with offline fallback and independent auditing. If done right, we might see the electronic vote via mobile phones, another iconic Estonian model, implemented using the digital ID.”
