Back
// Protocol Journal · Response I
// Public Intervention 11 min read

Making public services work for you with your digital identity

A structured response on revocation, checker accountability, holder choice, dispute resolution, and verification records that can be reviewed later in UK public digital identity design.

This response forms part of an ongoing public record of submissions on digital identity, authority, verification, and public digital infrastructure.

It addresses a live UK government consultation and focuses on revocation, checker accountability, holder choice, dispute resolution, and verification records that can be reviewed later.

Consultation questions addressed

  • 2.2.Q2 Revocation and ethical safeguards
  • 2.2.Q3 Holder services beyond the GOV.UK Wallet
  • 2.2.Q4 and Q5 Government checker design and limits
  • 4.5 Alternative access routes
  • 5.4 Oversight and governance

Response written by Matt Smithies, an expert speaking in his own capacity.

Consultation: Making public services work for you with your digital identity — Cabinet Office.

A national digital identity is a live authority system

It is not a credential on a phone. It decides how a person proves who they are, how a service decides whether to trust that proof, how that decision is recorded, and what happens when the answer changes. The real design problem is not issuance. It is state, evidence, revocation, dispute, and exit.

The Cabinet Office consultation contains several good instincts: minimise disclosure, avoid legal compulsion, support alternative access, and build stronger checking. (GOV.UK) Intentions are not the system. It will succeed or fail on a small number of structural choices.

Can a person opt out without being pushed into exclusion. Can a relying party prove what it checked. Can revocation happen without becoming opaque administrative power. Can alternative access remain inclusive without becoming the weakest fraud surface. Can the system preserve evidence for disputes without turning into a tracking layer.

Those are the real questions. Everything else is packaging.

A national digital identity should be designed around its failure modes, not its launch narrative.

Trust is conditional because control is the real fear

Public appetite for a simpler way to prove identity is real. Public trust is narrower than headline support suggests.

Ipsos found in July 2025 that 57 percent of Britons supported a national identity card scheme in principle. Once respondents were asked specifically about digital ID cards, after trade offs were made explicit, support fell to 38 percent and opposition rose to 32 percent. Civil liberties concern sat at 39 percent. 32 percent worried about data being used without permission. 31 percent worried about data being sold to private companies. 31 percent worried about abuse. 51 percent were not confident the government could hold personal information securely. (Ipsos)

Ipsos · July 2025

Public support and public concern are not the same thing

Support

Concern

Support in principle is not the same thing as support after trade offs, and neither is the same thing as confidence that the state can hold personal data safely.

The Commons Library records a sharper movement. Once the policy was framed in more compulsory terms in late 2025, YouGov tracking moved from 57 percent support in June to 38 percent in December, with opposition rising from 25 to 47 percent. Support collapses as soon as people perceive coercion.

The state’s own public dialogue on trust placed accountability and transparency at the core of trust. Participants treated accessibility and agency preservation as preconditions, not extras. They asked for explicit acknowledgment that digital identity could become mandatory over time, and for durable assurances that alternatives would remain available. (GOV.UK)

Public caution is rational because identity systems concentrate power. The design must answer how that concentration is bounded, not claim that concentration is benign.

The risk is not bad credentials. It is silent accumulation

Selective disclosure is necessary. It is not sufficient.

Privacy is not only what is disclosed in a single transaction. It is what the system accumulates across transactions. The Commons Library is direct: a national digital identity can create a “360 degree view” of an individual, enable profiling, and record how and when identity was checked in ways that reveal location and purchase history. Function creep follows: the system becomes mandatory in situations the original policy did not foresee.

This boundary must be explicit. The system should preserve enough evidence to resolve disputes and support lawful reliance. It must not become a general behavioural record of a person’s interactions with the state and the wider economy. A record of checks visible only to the holder is transparency. A record that third parties can access and retain is surveillance. The difference is a design decision.

Design boundary

Bounded verification is not surveillance

Holder the person Checker verification service Public service or relying party holder can inspect Oversight · redress complaints · appeal · audit

Boundary

Nothing in this flow should become a cross service behavioural record.

Bounded verification means only what the use case requires is checked, and only for the purpose at hand. That is not the same thing as surveillance.

The wider privacy context reinforces the constraint. The ICO’s 2025 attitudes survey found that only 19 percent of people felt informed and 19 percent felt in control when presented with “consent or pay” choices online. The dominant feelings were scepticism, pressure, and frustration. Consent language without understandable boundaries is not consent. It is pressure dressed as choice.

The state has already committed, via the Office for Digital Identities and Attributes in October 2024, that the UK approach should be voluntary, should not involve a centralised database, and should leave people in control of their data. (enablingdigitalidentity.blog.gov.uk) That standard must hold as the scheme scales, not only at launch.

Voluntary in law is not voluntary in practice

The consultation states there is no legal obligation to have or present the digital ID. The 2026 explainer says police cannot demand to see it. The consultation says a person can delete it from their own device at any time. (GOV.UK)

Voluntary is not a legal label. It is an operating property.

A meaningful opt out requires three things. A person who declines the digital identity must still be able to access essential public services through a lawful and workable alternative route. Deletion from the device must be simple and visible. Refusal must not carry compounding friction that converts the technical option into practical exclusion.

Access to service

Real opt in versus soft compulsion

Citizen needs a service Digital path Verify · present · proceed Decline path Alternative · assisted Equal service outcome the test for a real opt in

Where voluntary becomes coercive

  • 01Extra time at every step
  • 02Repeated checks and re-verification
  • 03Lower quality service from the non-digital route
  • 04Exception queues and escalation bottlenecks
  • 05Manual handling dependent on staff discretion
  • 06Inaccessible support

A system can be voluntary in statute and coercive in operation. Opt out is only real when the declining path reaches the same outcome.

The ICO found in 2025 that 47 percent of digitally disengaged adults had felt under pressure to use computers or smartphones even when they did not want to, up from 37 percent the year before. 49 percent had no or limited access to the internet or a connected device. 47 percent had been required to use a device even when they did not want to, including for shopping, banking, and applying for or renewing official documents.

A system becomes coercive in practice long before it becomes compulsory in law. The public dialogue already anticipated this: participants asked for explicit acknowledgment that digital identity could become mandatory over time, and for durable assurances that alternatives would remain available. (GOV.UK)

Voluntary is a property of the pathways the state builds. It is not a property of the statute.

Holder choice is fine. Inconsistent rules across holders are not

The consultation asks whether people should be able to store the national digital ID in holder services other than the GOV.UK Wallet. The answer is yes. The consultation already sketches the conditions: a third party holder must be certified under the trust framework, placed on a government register, and bound by a specific agreement with government. (GOV.UK)

The state’s authority to issue does not require a monopoly on presentation. Holder plurality is compatible with state authority. The broader UK digital identity programme has argued the same: people should choose from a range of certified providers, not one forced surface. (enablingdigitalidentity.blog.gov.uk)

Trust architecture

Holder choice inside a trust model

Invariants across every certified holder

Disclosure rules
The same claims are revealed in the same way. No holder may widen what is shared.
Status meanings
Active, suspended, revoked, expired, and reissued mean the same thing on every holder.
Trust semantics
One issuer, one framework, one set of signatures. A relying party does not need to know which holder was used.
Audit visibility
Every holder is inspectable under the same rules. Certification is ongoing, not a one-time stamp.

Choice of holder surface is compatible with trust only when the underlying rules remain the same across every certified holder.

The holder is part of the trust surface. The failure mode is not user confusion. The failure mode is a certified holder that quietly relaxes a boundary, and a relying party that cannot tell.

A checker that returns valid is not enough

The consultation proposes a Government Checker and expects most verification to be carried out by certified digital verification services. The Government Checker would return confirmation that a presented digital ID is valid and trustworthy, limited data for the use case, and a photo to help confirm the holder. A basic checker at low or no cost is under consideration. (GOV.UK)

A checker that returns “valid” is not enough.

Verification event

Minimal verification receipt

  1. 01

    Present credential

    holder → checker

  2. 02

    Request minimum claims

    checker asks only what the use case requires

  3. 03

    Approve disclosure

    holder consents on the holder service

  4. 04

    Verify

    checker confirms status and integrity against the issuer

  5. 05

    Emit holder-visible receipt

    checker · purpose · claims disclosed · result · time · retention

Not created by this event

  • No universal behaviour log
  • No unnecessary cross service trace
  • No open ended retention

A check that can be reviewed later requires a minimal receipt, not just a pass or fail result.

The use case makes this unavoidable. The consultation presents digital right to work checks as a major use case and highlights the value of a digital audit trail for compliance and enforcement. (GOV.UK) A business relying on a digital check for legal protection needs an output that is defensible later. A bare pass or fail is not.

A record of checks visible only to the holder is transparency. A record that third parties can access, retain, and join across services is surveillance. The receipt has to sit on the holder’s side of that line.

Privacy rights must be built into the fabric

A public digital identity system should not only minimise disclosure at the point of check. It should make privacy and data protection rights legible in practice.

People should be able to understand what was checked, by whom, for what purpose, what was retained, and for how long. They should have a practical route to access that information, challenge it where necessary, and seek correction, restriction, objection, or erasure where the law allows.

Privacy here is not a policy promise layered on top. It is part of the operating model. Transparency, purpose limitation, data minimisation, retention awareness, and accountability by design are properties the system either has or does not.

Organisations operating the system should define and communicate the purpose of each check, the retention window, who receives the data, and the route for exercising rights before the processing takes place.

Operational rights

Holder visible event history

Event

Metadata

Rights

  • · Identity checked
  • · Attribute checked
  • · Status checked
  • · Checker
  • · Purpose
  • · Timestamp
  • · Retention period
  • · View
  • · Access
  • · Challenge
  • · Correct
  • · Restrict
  • · Erase where applicable

A person should be able to see the material verification events that concern them, understand who carried them out, for what purpose, what was retained, and what rights or routes to challenge are available.

This also means separating distinct operations that are often blurred together. Deletion from a user device, erasure of retained personal data, and administrative revocation of a credential are not the same thing. A trustworthy system should make those distinctions visible.

Rights are not satisfied by a privacy notice alone. They need to be discoverable in the event history, retention logic, and challenge process of the system itself.

Revocation is an exercise of power

The consultation says people may wish to delete their digital ID and that deletion should be simple and quick. It also says the state will need the power to revoke a digital ID in limited circumstances such as fraudulent use. The 2026 explainer adds that credentials stored on a lost or stolen phone should be revocable and reissuable. (GOV.UK)

Revocation is not a silent state change. It is an exercise of power over a person’s ability to prove who they are in a system that sits at the heart of public service delivery and legally significant checks.

Credential lifecycle

Revocation state model

Active valid · checkable Suspended hold pending review Revoked administrative termination Expired validity ended Reissued fresh credential

Deletion from a device, erasure of retained personal data, and administrative revocation of credential validity are different operations and should not be collapsed into one concept.

Without reasons, responsible authorities, defined decision times, and routes to challenge, the system is an opaque gatekeeper. With them, it can be a public instrument that survives scrutiny. (GOV.UK)

Alternative access is a separate threat model

A physical card that is only visually checkable is not an alternative. The consultation says any alternative access route must still facilitate a digitised check and remain robust in terms of security, reliability, accuracy, and fraud prevention. It points to code displays, signed QR approaches, and mobile alternatives used internationally. The 2026 explainer commits to physical alternatives for those without smartphones, face to face help during rollout and afterwards, and dedicated casework for difficult situations. (GOV.UK)

Access design

Alternative access is a separate threat model

Digital route

Assisted route

Human route

Verification method
Cryptographic check on a live endpoint.
Digitised check via a signed code or QR.
Protocolised officer check against defined evidence.
Support model
Self service with helpline escalation.
Face to face help at point of use.
Dedicated casework for people the system will otherwise fail.
Privacy risk
Retention and linkage across relying parties.
Replay of codes · over-disclosure at the counter.
Casework records that outlast their purpose.

Each route is a separate design problem, not a degraded fallback.

If alternative access collapses back into visual tokens or manual guesswork, it becomes the weakest surface in the system, and the one adversaries will target first.

Digitally excluded people are not an edge case. The ICO’s 2025 research found nearly half of digitally disengaged people had no or limited access to the internet or a device, and many were already under pressure to use digital tools they did not want to use. The public dialogue called for involvement from people who have experienced barriers to proving identity — including people without a fixed address and those with experience of coercive control — in design, testing, and oversight. (GOV.UK) Alternative access must be designed with those users inside the room, not annotated around them after the fact.

Oversight must exist at event level

The consultation describes oversight as a mix of internal and external processes, independent scrutiny, Parliamentary accountability, and complaints handling. That is the frame. (GOV.UK)

Oversight at the top of the system is necessary. It is not sufficient. It must be observable at the level of actual events — who can issue, who can check, who can revoke, what gets recorded, how complaints and appeals work, what users can inspect, what gets reported publicly. If those answers are not explicit, governance is a word rather than a property. (GOV.UK)

Governance surface

Oversight loop

01 · Use checks · services 02 · Complaint raised by holder or third party 03 · Review first-layer redress 04 · Appeal formal challenge 05 · Audit · change scrutiny · reporting · redesign change feeds back into use

Oversight is an operating loop, not a promise above the system.

The public dialogue already named the missing shape: users on design, testing, and oversight panels, not consultees at launch. (GOV.UK)

Direct positions

  1. Voluntary in practice, not just in law. Alternative routes to essential services should be real, usable, and free of compounding friction.
  2. No tracking layer. Verification evidence should be narrow, tied to a specific purpose, visible to the holder, and not a cross service activity log.
  3. Certified holder plurality under stable rules. Allow more than one certified holder under a single trust framework. The same disclosure rules and the same status meanings apply on every holder.
  4. Minimal verification receipts. Every check should produce a record sufficient for dispute and compliance, visible to the holder, and nothing more.
  5. Privacy rights as operating model. Holders should be able to see when their identity or data was checked, understand the purpose and retention, and exercise access, correction, restriction, objection, and erasure where the law allows.
  6. Due process for revocation. Treat active, suspended, revoked, expired, and reissued as distinct states, each with reasons, responsible authorities, and appeal routes. Deletion from a device, erasure of retained data, and administrative revocation are not the same operation.
  7. Alternative access as a separate design problem. Digital, assisted, and human routes each have their own fraud, privacy, and support considerations, and should be designed with the people who rely on them in the room.

A national digital identity will not fail because the signature was wrong. It will fail when a person, service, business, or tribunal needs to understand what happened, and the system cannot explain itself. The ability to reconstruct what was checked, by whom, for what purpose, and with what result is the condition that turns digital identity into usable public infrastructure.

Sources

Cabinet Office, Making public services work for you with your digital identity and related consultation materials.

Department for Science, Innovation and Technology, Digital ID scheme: explainer. (GOV.UK)

Department for Science, Innovation and Technology, Public dialogue on trust in digital identity services: a findings report. (GOV.UK)

House of Commons Library, Digital ID in the UK, 23 March 2026.

ICO, Public Attitudes on Information Rights Survey 2025.

Ipsos, 57% of Britons support national ID card scheme, but have significant concerns over data security and implementation, 1 August 2025. (Ipsos)

Office for Digital Identities and Attributes, A way to prove who you are that is fit for the UK’s digital economy, 24 October 2024. (enablingdigitalidentity.blog.gov.uk)