The Divergence of Identity: What Next for the UK’s Digital Identity Strategy?

The United Kingdom currently stands at a decisive juncture in its digital evolution, marked by the most significant transformation of its identity infrastructure since the repeal of the Identity Cards Act 2006.

The summer of 2025 has witnessed a convergence of legislative action, technological deployment, and intense policy debate that fundamentally redefines the relationship between the citizen and the state.

Following the Royal Assent of the Data (Use and Access) Act 2025 on June 19, 2025, the British government has formally established a statutory framework for digital verification services. This legislative milestone is not merely a bureaucratic update; it represents the operationalization of a new digital social contract.

However, this rollout occurs against a backdrop of rigorous ideological contestation.

The most prominent counter-vision has been articulated by the Tony Blair Institute (TBI), which has aggressively campaigned for a centralized, mandatory digital identity solution—colloquially and somewhat controversially termed the “BritCard.”

The TBI’s intervention serves as a critical foil to the government’s strategy, highlighting a fundamental philosophical divergence: should digital identity be a “command and control” instrument of the state designed to secure borders and integrate public data, or should it be a “market-enabling” infrastructure that prioritizes privacy, competition, and voluntary adoption?

This analysis scrutinizes the aggressive, state-centric vision proposed by the TBI and contrasts it with the executed strategy of the Department for Science, Innovation and Technology (DSIT) and the Cabinet Office. It argues that while the UK government has rhetorically rejected the TBI’s “ID card” model, the functional reality of its 2025 strategy is creating a ubiquitous, unavoidable digital identity infrastructure that mirrors the TBI’s objectives while fundamentally differing in architectural execution.

The Strategic Context: From ‘Verify’ to Statutory Certainty

To fully appreciate the nuance of the 2025 landscape, it is essential to understand the historical and operational vacuum that the Data (Use and Access) Act 2025 was designed to fill. For over a decade, the UK resisted creating a centralized state identity layer.

The predecessor system, GOV.UK Verify, operated on a purely federated model where private identity providers verified users for government services. This system ultimately failed due to low adoption and a “double failure” of incentives: departments developed internal login systems, and private providers could not monetize the credentials.

Into this vacuum, the Tony Blair Institute injected a proposal for a radically more assertive state architecture. The TBI’s “BritCard” concept argues that the government’s incremental, federated approach is insufficient.

They posit that a digital ID should be a “defining step” for Britain—a fundamental piece of state infrastructure rather than merely a login tool. The TBI’s argument is predicated on the notion of “data sovereignty” and state efficiency, contending that the lack of a single, authoritative identifier across health, tax, and border systems creates inefficiency and allows individuals to fall through the cracks of the state.

The Data (Use and Access) Act 2025 serves as the legal bedrock for the government’s actual strategy, effectively ending the debate on whether the UK would regulate digital identity.

Unlike the TBI’s call for a consolidated national database, the Act focuses on “enabling” a market. It establishes the Office for Digital Identities and Attributes (OfDIA) as the statutory regulator, tasked with maintaining a register of certified providers. Crucially, the Act extends “Smart Data” principles, allowing identity providers to verify user attributes by querying third-party APIs (like utility companies) directly, representing a massive leap in fraud prevention without centralizing data storage.

Architectural Divergence: Centralization vs. The Wallet

The core technical and philosophical disagreement between the TBI’s “BritCard” and the government’s implementation concerns the architecture of the identity system: where data is stored, who controls it, and how it is accessed.

The TBI model implies a “golden record” approach, where a central registry holds authoritative data on every resident to streamline government efficiency and immigration control. By contrast, the government’s architecture employs a “hub” model for authentication and a “wallet” model for credential storage. This design is intended to insulate the state from “honey pot” risks—the danger of creating a single, massive database that attracts cyberattacks.

The government’s GOV.UK One Login acts as a centralized front door but does not consolidate all attribute data into a single location. It handles authentication (proving who you are) but leaves attribute data (health records, tax history) in domain-specific departments. One Login acts as a “blinded broker,” passing the verified user to the service without necessarily retaining a persistent record of the user’s interactions within that service.

The most significant divergence is the introduction of the “GOV.UK Wallet.” The government explicitly states that documents in the app are stored locally on the user’s device, not in the cloud. This local-storage architecture is a definitive rejection of the centralized database model implied by the TBI.

Furthermore, by utilizing the ISO 18013-5 standard, the government enables “proximity flows” where a user can prove their identity or age to a relying party without needing an active internet connection or a call-back to a central government server. This “unobservable” usage is a key defense against the surveillance accusations often leveled at centralized ID schemes.

The Mandatory vs. Voluntary Paradox

The most contentious aspect of the comparison lies in the “mandatory” nature of the digital ID. The TBI report explicitly frames digital ID as a necessity for border integrity, linking the ID directly to the “Right to Work” and creating a binary state of “documented” or “undocumented.”

The government, legally and rhetorically, maintains that digital ID is voluntary and insists there will be “no national ID card.” Yet, recent announcements regarding the digital ID scheme introduced a critical caveat: digital ID will be mandatory for Right to Work checks by the end of the Parliament. This creates a functional paradox where the ID is voluntary for the citizen to hold, but mandatory for the citizen to participate in the economy.

By making the digital check the path of least resistance—and eventually the only path—for employers to avoid heavy fines, the government effectively mandates the ID without passing a “National Identity Card Act.” This allows them to achieve the TBI’s goal of immigration control while maintaining a veneer of liberal market choice.

The Ecosystem Model: State Monopoly vs. Market Innovation

A distinct area of divergence is the role of the private sector. The government’s strategy, governed by OfDIA, attempts to foster a competitive market of Digital Verification Services. The Data (Use and Access) Act 2025 formalizes a register of certified providers and a government-backed “trust mark” to generate consumer confidence. This market-led approach suggests a future where citizens might use a private sector digital ID to access services.

However, the government’s aggressive rollout of GOV.UK One Login poses an existential threat to the very market OfDIA is supposed to nurture. As GOV.UK One Login becomes the “single front door” for all public services, private providers may struggle to find a business case. Private Identity Providers (IDPs) cannot compete with “free” unless they can capture high-value commercial sectors. There is a latent conflict between DSIT (promoting a private ID market) and the Cabinet Office (building a state monopoly), with the TBI vision aligning more closely with the One Login dominance scenario.

Interoperability: The UK vs. eIDAS 2.0

Finally, the international dimension reveals a risk of isolation. The EU is rolling out the European Digital Identity Wallet (EUDIW) under eIDAS 2.0, which mandates that Member States offer a wallet and that major private platforms accept it. The system is designed for pan-European interoperability.

The UK’s approach is domestic-focused, with no automatic mutual recognition treaty in place with the EU. This creates a “digital border.” However, the government’s adoption of global technical standards like W3C Verifiable Credentials and ISO 18013-5 acts as a defensive measure. By aligning with the technology layer supported by Apple and Google rather than the bureaucratic layer, the UK hopes to achieve interoperability through technology rather than treaty.

Conclusion

Comparing the UK government’s 2025 plans with the Tony Blair Institute’s report reveals a landscape where the goals are identical, but the methods differ in sophistication. The TBI called for a “BritCard”—a blunt, centralized instrument of state modernization and control. The government has delivered a system that is technically superior in its privacy preservation and security architecture, avoiding the single point of failure that plagued previous concepts.

However, the government’s strategy is politically deceptive in its similarities to the TBI vision regarding compulsion. By mandating digital checks for employment, housing, and corporate directorship, and by establishing a state-run app that will likely dominate the market, the UK is building a national identity system in all but name. The result is a system that is functionally ubiquitous, technically federated, and operationally mandatory, achieving the TBI’s vision through the backdoor of economic regulation rather than the front door of constitutional change.