The Emotive Roller-Coaster of Privacy

Posted on By CQCore
Digital Expsoure, OPSEC, OSINT, Privacy

The Emotive Roller-Coaster of Privacy

On a recent foreign foray through multiple customs and in tandem with my recent training event in Leeds. it got me thinking again about the UK Government announcement of its intention to introduce a GOV UK Digital Identification Wallet, which could be mandatory by 2029.

Since that announcement I have seen some interesting posts on social media some clearly are misinformation and maybe even some attempt at disinformation, most are about mass Government surveillance. It all feels a bit emotive at times rather than rational.

Caveat, I am approaching this topic from a particular perspective, based on the Exfiltrated Data OSINT training I provide.

I take on board the concerns raised about Digital Identification Wallets, there are some valid concerns; however, there is also some misinformation floating about them too.

If I am honest, for those who know me you know I am also as interested in privacy as I am OSINT, so, I too have reservations.

I have seen that there has been much mention of Sir Tony Blair’s Governments plans to introduce Digital IDs in the early 2000s. Times have changed considerably since then and the reality is that this new scheme is much removed from the days of Sir Tony Blair’s Government.

Three pieces of legislation / regulation are now in force: –

Immigration, Asylum and Nationality Act 2006,

General Data Protection Regulation (GDPR) 2016 (Now known as UKGDPR),

The Online Safety Act 2023,

The Online Safety Act 2023 has been in force for over a year now and it is clearer now how services and platforms will carry out age verification. We have seen initial use of selfies, video and voice verification to providing identification such as NFC enabled passports, or worse a photo of one.  

OSA 2023 PART 4 CHAPTER 1

(2) ’The verification process may be of any kind (and in particular, it need not require documentation to be provided).’

What we are seeing now however as the OSA is expected to be fully implemented by the Autunm pf 2026, is a move away from app level age verification to OS level verification.

If you have been following this space you will know that the UK, EU and US along with social media companies have all been working on Digital Identification type wallets for some time now.

The main issue here will be cross compatibility and standardisation something which we still see is still afflicting the wholesale implementation of Passkeys. Passkeys are a great online security measure to protect your accounts but they are not necessarily uniform or standardised.

In theory the aim is also to make these wallets provide more privacy. If you are asked to prove your age, say to buy alcohol rather than producing your driving licence, which would then disclose your, name, driving licence number and home address; the wallet could and should be set up that it only discloses the correct amount of information for the purpose required. This may take the form of a token sent to an NFC device. In this case, it would only verify you are 18 or over.

Think of Apple Pay & Google Pay, they do not transfer your card details to the card reader, they transfer a token that verifies the purchase. In theory this is more secure than using your actual bank card details, as your card details are not transferred to the retailer. The offset of course is that you are now allowing Apple & Google to know your spending habits in association potentially with your location, advertisers may find that handy. It really is a game of cat & mouse between security & privacy.

In the same way it may be more secure to use PayPal to pay for online services or products. PayPal handles the payment so that there is no need for you to enter your card details into the vendor’s website, where they can store the details. Those details could be exfiltrated and sold online, if the company is subject to a breach.

In my opinion potentially if you want to become more secure from a digital perspective for some services you may have to give up some of your privacy. 

Whilst In Sydney last year training & presenting I saw they have the Opal card which works just like the Oyster card in London to pay for public transport. Or alternatively you can either tap your bank card or your mobile wallet (Apple Pay & Google Pay). The reality for many who use either Apple Pay & Google Pay a Digital Identification Wallet will add to their convivence.

How many of you carry around your bank cards, driving licence and other PII related cards in your purse or wallet. With the advent of contactless payment, what would happen if your wallet or purse was stolen? There is a window of opportunity for criminals to misuse the cards in your wallet.

How many people actively monitor their banking app settings and alter the following: –

Allow / Disallow Use online.

Allow / Disallow Contactless.

Set Contactless Limits.

Allow / Disallow abroad.

Set ATM withdrawal limits.

Check which payment wallets their cards are linked to.

In Australia they also have: –

Migration Act 1958 (as amended in 2024 and enforced in 2025),

Privacy Act 1988,

Australian Online Safety Act 2021,

They are the equivalent of the UK regulation / legislation I have mentioned. Having read through them for the training I delivered with NSW Police, we have copied from the Australians, you only need to see the year stamp of the Acts. The content is very similar.

For certain things whilst I was down under I had to prove my identity and / or age, a Digital Identification Wallet may have been preferred to having to carry my passport and produce that, especially where they were copying my passport or digitally scanning it. I am now a breach away from my passport being online.

Under the UK Immigration, Asylum and Nationality Act, employers have a responsibility to ensure the people they employ have a right to work in the UK. This will generally mean employers asking for a proof of Identification, namely a driving licence and / or a passport as well as maybe a P45 or P60, which they copy and store.

When I deliver my Exfiltrated Data OSINT Training, I cover how I am seeing more and more driving licences, passports and sensitive data being exfiltrated and ending up on the dark web.

I used dark web because that seems to make people feel more worried, it is an emotive phrase, the big bad dark web but the truth is the they are available on the clear web too.

It comes as a genuine surprise to some who attend my training that this data is out there, personal sensitive data.

At my recent Exfiltrated Data OSINT event in Leeds, I showed the attendees the following for a person whose data had been exfiltrated in a breach: –

Driving licence

Passport

Bank Statement

Pay slip.

In the recent UK Government white paper on Policing, it states that: –

‘Fraud makes up 44% of all crime. 90% of crime has a digital element.’

Why provide these type of documents that can be exfiltrated and used to defraud the owner. The Digital Identification Wallet could handle this for you. A simple code that the employer could check against a national database, no need anymore for having sensitive documents or identification copied or digital scanned.

It is also true to say that employers are asking for and storing more information than they are required to do under the UK Immigration, Asylum and Nationality Act, in fact some may be in breach of the Act.

Under the Act it is for the candidate to prove their right to work in the UK, and it is up to them how they do that, referencing the documents in the Act that are acceptable proof. Some employers are mandating that a candidate provide a passport, some ask for a driving licence too, this is clearly not necessary. And guess what it means more data that can be exfiltrated if the company is subject to a cyber-attack or insider threat.

I cover this in my Online & Digital Exposure Risk training that everyone has a responsibility to protect their own data and to question those who ask for things they are neither entitled to nor need.

Sometimes it is not the tech that is the issue, it is how the end user uses the tech.

If you went on holiday, you would not leave your windows and doors unlocked. You would not park your car in a public car park, leave it unlocked and the keys in the ignition.

Why not?

So why behave in a completely different manner when it come to your own personal data or how you use tech.

We all have a personal responsibility to look after our personal data, to not automatically provide it on demand, question those asking for it and understand the tech you are using.

UKGDPR places a responsibility in general terms that limits the amount of personal data that can be collected, especially sensitive data but also places an obligation on those holding the data to keep it secure.

Now, of course, the details will be very important and depending on how the Digital Identification Wallet is implemented we should see less sensitive documents like driving licences and passports appearing and being sold online, as employers will have no need to collect them. They can use the Digital Identification Wallet, which should have a unique identifier that can be automatically verified against a national database.

As I said in my opening gambit, mass Government surveillance has been mentioned and a petition was started to record people’s opposition to the Digital Identification Wallet, but it felt very emotive in nature.

I bet everyone reading this has a device that is connected to the internet, a mobile telephone and maybe even a vehicle. The data collected by the apps on your phone or the phone itself, even your vehicle is harvested and sold to data brokers. This is then aggregated with other data to build a picture of who you and where you go or have been. Is this not a form of mass surveillance?

Have you been abroad recently?

The European Union’s (EU) Entry/Exit System (EES) started on 12 October 2025  This is a new digital border system It requires travelers to register biometric data, such as fingerprints and a photo, upon arrival, and aims to enhance border security and reduce illegal migration.

I came back into the UK recently, there were no old-style custom booths, it was all electronic biometric controlled gates.

As I said earlier I am approaching this from an Exfiltrated Data OSINT perspective and I see it as this equation: –

Driving Licences, passports and other sensitive data being physically obtained by employers or others.

Versus

Digital Identification Wallets.

= Reduce the risk of Driving Licences, Passports and other sensitive data that can be exfiltrated during a cyber-attack, sold online and used in fraud.

Remember in the UK – Fraud makes up 44% of all crime. 90% of crime has a digital element. This is the reason hackers, cyber-criminals target your sensitive data. So why not let’s stop providing sensitive data unnecessarily and find a better way.

I certainly wouldn’t want to see an app that is asking for permissions, such as access to location, camera, microphone etc or one that is feeding data to advertisers.

The devil will definitely be in the detail but by embedding privacy-by-design principles this has the potential to control access to data, sensitive data or information that does not need to be put at risk.

Gently reminder, I am approaching this topic from a particular perspective, based on the Exfiltrated Data OSINT training I provide.

 

You may also like

Mobile Phones
Something a Little Different
September 11, 2020
Mobile Phones
Free Wi-fi, is it free?
August 21, 2021
Mobile Phones
WeChat, IMO and OSINT
February 13, 2020
Hostile Profiling
Introduction to Digital Exposure
May 2, 2022