Yours Lawfully Podcast
Yours Lawfully Podcast
National ID or National Surveillance
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
"Critics argue that the UK is ‘sleepwalking into a surveillance society’ where more information is collected than what the British society would normally feel comfortable with"
In a world where we already carry our bank cards and travel tickets on our phones, carrying a national digital ID is touted as being the ‘boarding pass to getting on in life’. This is the promise of a national digital ID: a tool stored on your smartphone, allowing you to prove your identity instantly.
The UK government has set out its idea for how this could work. It wouldn’t be compulsory, but the goal is to make everyday processes smoother, cutting down on what the government sees as unnecessary paperwork and giving people a more control over their own information.
In this episode of Yours Lawfully, produced by qLegal for the TMT Institute, we are joined by Bryn Robinson Morgan, who has spent more than 20 years at the forefront of digital transformation and has experience designing digital identity systems for major organisations such as Mastercard and HSBC. He also advised the UK government on digital identity and privacy.
In this episode, we explore a simple but important question: what is a national ID? From its basic purpose to how it works in practice, we break down the role it plays in modern society and why governments are increasingly moving toward digital identity systems.
Imagine it's 7am, you're on your phone, finishing a write-to-run check for a new flat or applying for a dream job. Instead of hunting through a kitchen drawer for dusty utility bill or a physical passport, you simply tap a secure app at the click of a button, a digital tool held on a smartphone rather than a physical card. Instead of carrying paper documents, users would manage their identity through a dedicated app storing their identity. In a world where we already carry our bank cards and travel tickets on our phones, a national digital ID is expected to be a boring path to getting on in life. The UK government set out a vision for a new national digital ID aimed at moving Britain into the modern age by cutting pointless bureaucracy and putting power back into people's hands. But before it happens, a silent question is asked. What do we mean by a digital identity system? And why does the state think we need one?
SPEAKER_01Welcome to today's episode of Yours Lawfully. Based out of Queen Mary Award-winning commercial law clinic, we are Hema and Best, student here at the Queen Mary University of London. In today's episode, we are talking about national digital IDs, your name, your number, your nation, and why they matter more than ever. The UK's debate over identity system is not new. National identification scheme has historically emerged over the years. Decades later, it was presented in proper form. Formerly, the scheme was announced on October 23rd, 2025. The UK is currently navigating a significant transition towards a national digital identity system. A central pillar of the proposal is its role in managing migration and the labor market. It also represents a pivotal shift in the relationship between the citizen and the state. While the government sees it as an enormous opportunity to bring Britain into the modern age, it also has viewed as a technological assemblage that could fundamentally undermine privacy and civil liberties. Everything we talk about is detailed in the show notes. Link in the description. Today we are excited to be joined by Brian Robinson Morgan. He is a principal consultant at Morrisburg. Brynn has spent more than 20 years at the forefront of digital transformation and designing digital identity systems for major organizations such as MasterCard and HSBC. He has also advised the UK government on digital identity and privacy. Brian, would you like to introduce yourself for our listeners and give them a little idea about what you do?
SPEAKER_00Absolutely. I'll start by saying thank you very much for the invite. I'm an advisor and strategist specializing in digital identity. I work with governments and businesses to build the infrastructure, both the technology and the governance, that makes our digital lives more seamless and secure. My focus is how we build these digital identity ecosystems, how we make sure that they're secure, private, and most importantly, usable. I look at how we can use digital identity to make a positive impact in our everyday lives.
SPEAKER_02Let's start with introducing digital ID to our listeners. In simple terms, digital ID is a way to verify your identity online comparable to using an ID card in the physical world. Instead of presenting a physical document, your identity is verified electronically using a combination of personal data, credentials, or secure authentication methods. It allows individuals to access services such as government platforms or banking securely and remotely. However, there has been a criticism claiming it could lead to a permanent state of surveillance. Critics argue that the UK is sleepwalking into a surveillance society where more information is collected than what the British society would normally feel comfortable with, as it replaces the presumption of privacy with a recurement to turn over private data just to conduct daily life. So, Brain, to start with the basics, how does digital identity move from a concept to something on our phones? Could you walk us through how the system works and give us some real-world examples?
SPEAKER_00You raise a really interesting point there. When the UK government announced that it was going to mandate digital identity, there was a lot of negative reactions to it. Clearly, as someone who makes a living from advising on digital identity, I'm always going to talk passionately about it. And I'm going to talk about why it's a good thing to have. So let's get into an example as to what digital identity is. So my favorite use case is talking about when we're at a supermarket and we're at the self-service checkout. We've got a bottle of wine that we're buying for the weekend. And before we're able to actually complete that purchase, a red flashing light goes off above our heads, and somebody eventually comes over to see whether we're over 18 or not, whether we're able to complete that transaction. So the way that that works today is the member of staff, if you're fortunate enough to look young still, they'll come over and they'll say, Have you got a driver's license? Have you got a passport? So they're really asking for either a government-issued credential, such as driver's license or passport, or something that the government approves. So you have things like passcards, which the government say, Yes, you can use that for age verification for buying alcohol. The member of staff will take your driver's license, they'll check it to see whether it's real. So they'll check the security features on that document. Then they'll look at your date of birth and they'll do the sums and say, does that mean that you're over 18, under 18? When they've finally worked out your age, they'll then look at the picture that's on your driver's license and they'll compare that to your face. So that member of staff is doing all those checks so that they can then press the button on this self-service kiosk to say, yes, this person's age verified. What a digital identity does is it moves that from the physical driver's license or passport onto a digital identity. So something that you can have stored on your phone. So from a user experience point of view, it means that you can now go out just carrying your phone. You don't need to carry your driver's license or even worse, your passport, which you know is quite a big document. It's not something that fits in your wallet, it gets creased, it gets folded, it gets lost when you're on a night out. So by moving this to a digital service, from a user experience point of view, that's really good for the user. But for the supermarket checkout stuff, they no longer have to do those checks to make sure that it's a real driver's license. They don't need to calculate your age from your date of birth. And they don't need to do that match against the photo with the person that stood in front of them. All that can be done using technology. So it's better from the supermarket's point of view as well, because they're making sure that they've got compliance with the alcohol licensing laws and that they're doing those checks in a robust way. But also, one in five women have been victim to stalking. And if you're on a night out, on average, you might show five different people your driver's license to prove your age. And when they do that, not only are they seeing how old you are, but they also get to know what your name is. They can also read what your address is. And why does that matter? Well, if we take the case of Levi Belfield, he's a convicted murderer, but he was a nightclub bouncer. So he was someone that you were supposed to trust with handing your driver's license so that he could check that you were 18 to allow you into a nightclub. But he used that position to scout for his victims. He was a serial predator. Every time he was getting somebody's driver's license, he was able to see exactly where those people lived. And he could actually go and stalk those people. And this isn't a one-off thing. There are several examples out there in the media where you can see that this has happened, where a member of bar staff thinks that he fancies the girl that's handing over their driver's license and follows them home on the chance that he might get a date out of it. That stalking behavior is because we're oversharing the information that we're sharing. So actually, with a digital identity, we can make sure that all we need to hand over is a claim to say, I am over 18. And that can be done with trust based from your date of birth, but not sharing your date of birth. And it's really important that we can actually create these digital identity systems that deal with surveillance and tracking. We've also got concerns that are out there that actually am I being tracked by my digital identity? And so it's also important that we design the digital identity system correctly as well. That not only are we not oversharing our data, but we're also not enabling the digital identity to track where it's being used. And that's done through a combination of what we know as governance, so trust frameworks that define the rules for how digital identity systems can operate, but also the technology that underpins those digital identity systems as well. And that's where I come in as an advisor on digital identity to inform governments and businesses how we can actually achieve that privacy by design.
SPEAKER_01That was a really good, like interesting example of how comparing both the different scenarios in which data is being used. But do you think that the real advantage is more towards convenience and data minimization? But then again, like you said that it's about security and trust that people are concerned about, that building that trust. So what are the major problems that the public or in general the critics are worried about? And are they concerned just about the tech itself, that it's not going to be foolproof, or it's it's more than that?
SPEAKER_00There are definitely a lot of legitimate concerns in this area. And you can have very badly designed systems that don't deal with privacy, that don't do what we call selective disclosure. So the sharing of just I'm over 18, not my date of birth. There are systems that allow for whoever is designing the system, whoever's providing that, that they can track where you've used your digital identity. But there are also ways that you can make sure that it's designed so that those things can't happen. And that's really where the concerns that are being raised need to be taken on board as legitimate concerns and need to be addressed both from the governance perspective but also from the technology perspective. And I think if we do those things in the right way, if we do them in an open and transparent way so that people can understand what the system's doing, how it's doing it, how it's applying those privacy controls, I think that that's where we can move the debate on. Like I say, I'm passionate about digital identity and the benefits that it brings. So I'm always going to talk about it as a very positive thing. I also appreciate that people have legitimate concerns about that. And that's why I want us to have an open and honest conversation about the things that we can do to make sure that those concerns are addressed.
SPEAKER_01Thank you so much for explaining that for our audience, Bryn. We have been talking about digital ID and how it's supposed to be high-tech boarding paths to a modern life. However, we came across during our research of this phenomenon that it's called the data creep, which basically means the process where an identity infrastructure designed for one thing, like proving your right to work, evolves into an all-purpose data for controlling the users. There have been examples where this has gone wrong before. For example, India, the Adaha system, which is the world's largest biometric project, while it was aimed for efficiency, it faced massive judicial debate over privacy violations and sensitive data has been leaked on partnering government websites. Then there is another example of Greece. There are ideas that were basically the data that was collected was it included a person's religion, which highlights how the state can use identity to categorize. So basically, what we are trying to understand here is, and the question that basically pops up is could a system designed to make our lives easier end up as the ultimate tool for mass tracking?
SPEAKER_00It's absolutely a real issue and a real concern. We've seen it with social media that what started off as a way of sharing videos about cats, now the social media companies are data and marketing companies. So they're using how you're using social media so that they can target adverts to you and sell you things and monetize their platform. So that creep, we've seen it in the real world, we've seen it happen. And we have safeguards such as the general data protection regulation, GDPR. But actually, from a real person perspective, we see the terms and conditions that say we're going to use your data to mark it to you, and we tick them because we haven't got the law degree that you need to actually read terms and conditions and privacy notices to be able to understand them. We also get compelled to do it as well, because we've either got the fear of missing out, the FOMO, or it's a necessity. So we end up agreeing to do things so that we can access those platforms and we give away our privacy as a result of doing that. So it is a legitimate concern, and it's also a legitimate concern for digital identity as well. And in some ways, more so because you're giving your really personal information, your sensitive information, and it's also verified information. So on social media, I can claim that my name's Fred Blogs, and nobody needs to uh to check that. But with my digital identity, I'm saying that I am Bryn Robinson Morgan, and somebody, most likely the government, is vouching for the fact that that's correct. So all that information becomes incredibly valuable and incredibly important. And that's why we need to have the highest levels of protection and the highest level of user control in the way that we implement that digital identity. Now, to give a very real, though extreme, example, the Nazi regime conducted a mass census in May 1939. And one of the things that they asked people to put on their census form was around their ancestry and their race. That information was then used to identify and persecute Jewish people. So as I say, it's a it's a very extreme example. But you talked yourself about what happened with Adahar and the fact that somebody's religion then becomes part of their identity, and that's verified information. And whilst hopefully we never get into a situation where we're in the days of the Holocaust again, but there is always that risk of data creep and things that we thought were going to be used in one way actually being used in a different way. So we need those really serious controls to be within the design of the digital identity system. We need to make sure that those controls are pervasive as well, so that if there's a change of government, the new government can't come in and say, oh, we're going to change how that digital identity is going to be used, how that data is going to be used. And that's why we need a really clear design pattern that means that you can't have that data creep in future. So really well-designed digital identity system can be used to mitigate those risks. So rather than me telling the government and it being put on a central register what my religion is, I could hold that within my digital identity, and then I can choose to use that and share it with who I trust and who I want to share it with. So there are lots of things that we can do with a digital identity that actually increase protections for individuals.
SPEAKER_02That was very insightful. Thank you. Uh, you gave an extreme example from the past. And if we look look at today, in today's modern world, if you were to paint a worst case scenario versus the most optimistic one, what would it look like?
SPEAKER_00I think the the worst case scenario is that we end up with a digital identity system for the UK that hasn't had that independent oversight of what government is planning to do. That they don't have a meaningful consultation where experts in this field can actually give them the advice to how to design the system in the correct way. That we have a centralized system that gets hacked, that that data gets leaked, a mass data breach. That would be terrible for the UK, it would be terrible for citizens, it would send back digital trust many, many years and make it really difficult for people to trust a digital identity system in future as well. So that's that's kind of the worst case scenario. Whilst that sounds quite bleak, I am actually far more optimistic that we can do this in the right way, that we've got massive amounts of expertise and experience in the UK that we can actually design this in the right way. And it's about government meaningfully consulting with those experts, taking on board the negative criticisms, the overreactions in some case, and being able to explain how those real risks, those fears that people have, how they'll be mitigated, and as I say, how we'll design a system that has that pervasive control so that the controls can't be undone in future, and that we can't have that data creep occur in future as well.
SPEAKER_02That takes me to my next point. What legal safeguards exist to prevent misuse and are they strong enough?
SPEAKER_00As I mentioned, we have GDPR, which defines how we can use data. For digital identity, we also have um what is known as a trust framework. And the trust framework gets down to a lot lower level of detail in how we deal with things like security controls so that we can't have that mass data breach. How we deal with privacy and how data that's used within digital identity. Can and cannot be used. So, for example, in the trust framework, you can say data collected through the digital identity system can't be used for marketing purposes. So you can start to get those granular controls within that. And then you can start architecting the technology to support those trust framework requirements. And architecting that in the right way is about decentralizing the system so that people can hold their own data. So one of the common ways of doing that is on a smartphone. If the individual's got their data on their own phone, that in itself is a great protection because it means that the individual gets to choose when they share it, who they share it with, and it takes away that risk that the state just decide that they're going to share your data or they're going to use it for other purposes. So there are lots of things that we can do. And like I say, I'm quite hopeful that the delivery of the UK infrastructure for digital identity will use those best practices.
SPEAKER_02Thank you. Now let's take a look at the bigger picture. To understand how far digital identity systems can extend, it is helpful to explore broader global approaches to digital governance. Different countries have adopted varying models reflecting different legal traditions, privacy expectations, and administrative needs. Some systems around the world are designed primarily to streamline public service delivery, others focus on security and migration control, and some aim to create a fully integrated digital ecosystems. So, Bryn, when we talk about digital identity, what should the state legitimately need to know about us? And where should the line be drawn?
SPEAKER_00That's a really great question. And let's be honest here the state, the UK government in this example, they already know a lot about us. And they have legitimate reasons for knowing things about us as well. So it's legitimate that the government can ensure that we're paying the right amount of tax, that we're claiming welfare payments correctly, that we talked about migration there, that again, who's coming into the country, who's leaving the country. And they do that today. They issue us with a passport so that we can cross a border. They have tax systems, and our employers have to tell the tax service how much we've been paid, or we have to fill out a self-assessment form. So government are already getting a lot of our data and a lot of our information. We also can't have legal identity without state endorsement either. So registering births, deaths, marriages, it's not a controversial idea. So when we implement digital identity in a good way, it's really about making our lives easier, about making them more secure and more private. So it's not changing anything that the state would know about us, but it's changing how we interact with the state. And the UK government's position, it's quite sensible. They want to use digital identity to make those interactions much more simple, much more efficient. And that's good for citizens, that's good for government departments. There are massive amounts of benefits by doing that. And I think that most people would agree that that is a good thing. Where I think people get concerned is that the idea of the government's tracking that they're buying the bottle of wine in the supermarket. It's that sort of information that government shouldn't need to know. They also want to make sure that government aren't accessing their data without their knowledge and without their consent. So again, when we share data with government or when we get our passport from government, we know what data they've got. What we don't want is that additional data in our digital identity to be used without us knowing about it, without us seeing the reason why it's being shared with government or why it's been shared with any other organization in society. So we do need to make sure that there is a clear line. And again, it's about designing the digital identity system so that that line can't be crossed. And I think if we do that, that's where the government can achieve its aims. And the people who've got quite a negative view of digital identity at the moment, that they can become more comfortable with how digital identity is implemented. And just one other point that I would make is that we do also need to consider alternate pathways as well. So if people just don't want to engage with a digital identity system, we should still have ways that people can engage with the state without having a digital identity as well. And I think that if we get that balance right, those people will be few and far between because the efficiency of digital identity, the convenience of it, will just become something that people want to use.
SPEAKER_01Bryn, when you say digital identity in a good way, what does that concretely mean? Are we talking about minimal data? Are we talking about decentralized storage or just strong auditing rights? And also about seeing it as an efficient in an efficiency way, but historically we see many like governments, like the tools by government are justified as efficiency measures, but then they are later expanded in scope. So, how do we prevent digital identity from becoming like a power multiplier or it becoming more um is it just a being about data collection and less about interoperability?
SPEAKER_00So I think all of the things that you talked about there are what we want to see from that government digital identity. And again, it doesn't need the government to be the one that's actually providing that digital identity service. That service could be provided by the private sector and government just set the rules of the road. And I think that to my mind, having that ecosystem that gives people the choice, I think fits very well with the national psyche of the UK. That actually the government says, here are the rules for digital identity. The government puts in place the things that only government can do, such as legislation, and then the private sector is able to deliver against that and deliver decentralized systems for people who have smartphones and want that ability to have their digital identity on their smartphone. You also need to make sure that we've got inclusion and accessibility in there as well. So we do also need systems that have those same strong protections for individuals, but maybe they have more of a centralized system so that people don't need their own smartphone to operate it. But that centralized system can also have some decentralized controls in there as well. So not everything stored in one big database, but actually using things like cloud services and personal data stores on the cloud so that individuals have got the same protections but have got more accessibility options. And I think if we can create this in the UK, we can actually become a model for other countries who are looking at implementing their own digital identity system. That actually what we have in the UK is a leading light for the digital identity industry globally.
SPEAKER_01That's I think one of the interesting points to look at considering that if the issue isn't just data collection, it's more like organizational and integration. So when we jump into the next question, it's there has been a sudden change of direction from the UK government when the digital identity was first announced in late September 2025. It was presented as a condition of everyday participation, especially for working or renting a home. The government framed it as a practical response to illegal migration and the shadow work economy, uh, with a clear message that access to work would depend on having a digital identity. However, on January 14th, 2026, the government dropped the compulsory element and repositioned digital ID as a voluntary smartphone app designed to simplify administrative tasks. Rather than enforcement, the emphasis shifted to convenience. The device system now functions as a digital proof of identity, allowing citizens and lawful residents to replace physical documents with a secure digital alternative. The U-turn reflected mounting constitutional concerns alongside long-standing civil liberties objections to mandatory identity schemes. In its current form, however, the scheme is still in design and not active. It is suggested that it would be a free smartphone-based app available to British citizens and lawful residents. It will be designed to function as single digital proof of identity, replacing the need to repeatedly present physical documents like the utility bills, birth certificates, or paper letters with the consent of the users. The government has described it as a practical tool for everyday life rather than a surveillance mechanism. So, Brain, the question is when the government stepped back from mandatory digital IDs, that moment tell us about the limits of state power over how people prove who they are in their everyday life.
SPEAKER_00I think a lot of the fear and the debate around digital identity was caused by a rather clumsy announcement that was made by politicians who weren't properly briefed, they weren't really knowledgeable enough to be able to answer the questions that they were being asked. And again, it was about those legitimate concerns that people have that actually, if you can't answer them in a precise and accurate way, then people are going to have that fear just exacerbated. And people really are going to think that this is about government overreach, intrusion into your personal life, the state surveillance, all the things that actually digital identity can counter against. So when the government rolled back and said, actually, we're not making it mandatory, it was really just about resetting that position from the initial clumsiness of the announcement in the first place. I don't think that actually what the government wants to do has changed in any particular way. The narrative has become that it's a government U-turn, but actually I think it was just a bad announcement or a badly made announcement in the first place. So the next step, I think, or at least I hope, is that government are going to meaningfully engage with the people in the identity industry in the UK. They're going to meaningfully engage with organizations who are looking at government overreach, who are looking at citizen protections, who are looking at things like inclusion and accessibility, that they are going to really listen to what's being said, and that they're going to take that on board for what they do next. And as I say, we've got a lot of the foundations for digital identity in the UK already. We just need it bringing together in a way that's going to accelerate the adoption in the UK. Government doing what only government can do in laying those foundations for the digital public infrastructure so that digital identity in the UK can really thrive. And we've been in this position for quite a few years now, and we've never got there with government. So that's why I say my hope is that actually what the government announced was really to kickstart that acceleration to make digital identity in the UK a reality, to make it so that I can go to the supermarket with my smartphone, with my digital identity on it, and I don't have to suffer somebody coming up and looking at my driver's license and saying, My word, how old are you? You know, we need to make sure that we really do embed digital identity into our everyday life and that we do get that convenience factor, we do get that security, and we do get the enhanced privacy. It's a big task, but we definitely got the things that we need to make this a reality. So, yes, what the government announced, it wasn't great. What they then announced as a U-turn didn't really help the situation either. Underneath it all, I think actually we're still on the same path.
SPEAKER_02This raises a broader question of does a voluntary digital ID meaningfully address a civil liberties concerns, or does it merely repackage the same risks?
SPEAKER_00I think it can address the civil liberty concerns. And again, it's all down to implementation. So we shouldn't see those concerns as being invalid. We should actually embrace people challenging and raising those things and saying, what happens in this circumstance? What happens when there's a change of government and somebody decides that they want to do something different? All those things can and should be addressed by a proper, well-founded, well-designed digital identity system.
SPEAKER_02Thank you, Brain, for sharing your valuable insights. In this episode, we have discussed what digital ID actually is: surveillance and challenges in ID systems design, and raising broader questions about how different legal, political, and individual contexts influence the balance between convenience, security, and freedom, and the UK's controversial U-turning digital ID. At its core, the debate over digital ID is less about apps and infrastructure and more about who decides how identity, freedom, and trusts are defined in the era of technology.
SPEAKER_01That was really helpful, Brian. You've managed to cut through a lot of the fear-based narratives and focus on what actually matters the design and the accountability. And with all your insight, all that's left to say is a massive thank you for joining us today on today's episode. Thoughts, feedback, and questions are all very welcome. Thank you for listening.