On 4 May 2026, the Electronic Frontier Foundation filed its submission to the UK government's consultation on the national Digital ID scheme that Prime Minister Keir Starmer unveiled in September 2025. The EFF's warning was blunt: a state-backed, device-linked identity layer risks creating a centralised surveillance architecture, chilling anonymous access to online services, and locking in a permanent record of who did what, where, and when.
British policymakers do not have to imagine how this story ends. They can read it in the experience of the Asia-Pacific region, where mandatory SIM registration regimes have been running for the better part of a decade. The results are not encouraging — and they map almost perfectly onto the risks the EFF flagged for Westminster.
The Starmer Plan, And Why It Worries Civil Society
The proposed UK Digital ID would let residents prove identity through a credential stored on a personal device, drawing on government-held data such as name, date of birth, and residency status. Ministers have pitched it as a frictionless way to access services, fight illegal employment, and modernise interactions with the state. The September 2025 announcement framed participation as voluntary, but civil society has noted the long history of "voluntary" identity systems hardening into de facto requirements once private actors — banks, landlords, platforms — start asking for them.
The EFF's submission focuses on three concerns: the centralisation of identifiers across previously siloed systems; the foreseeable mission creep from authentication into law enforcement and immigration enforcement; and the chilling effect on anonymous and pseudonymous activity online, which remains a backbone of free expression. A parallel letter co-signed by 18 organisations urged Westminster to address the root causes of online harm rather than rebuilding the citizen-state relationship around a mandatory identity gateway.
APAC's Long Experiment With Mandatory Identification
Mandatory SIM registration is not new. According to GSMA research, more than 150 jurisdictions globally now require some form of identity verification to activate a mobile connection, with APAC leading adoption. The promise has been consistent: tie every SIM to a real person, and you will deter fraud, terrorism, and online abuse. The reality has been considerably messier.
The Philippines offers the clearest cautionary tale. Republic Act No. 11934, the SIM Registration Act of 2022, made it unlawful to sell or activate a SIM without verified personal data. Telcos registered well over a hundred million SIMs during the rollout. Yet reports from the Philippine National Telecommunications Commission and consumer groups through 2023 and 2024 showed that text-based scams and phishing did not meaningfully decline — fraudsters simply switched to over-the-top messaging apps, foreign SIMs, and stolen identities used to register new cards. The principal effect was a vast new database of citizen identifiers held by private telcos, which were then breached repeatedly.
India learned a sharper version of the same lesson. The mandatory linkage of mobile numbers to Aadhaar, the country's biometric ID, was struck down in part by the Supreme Court's 2018 Puttaswamy judgment, which held that compulsory Aadhaar-SIM linking violated the constitutional right to privacy. The court did not deny the state's interest in identification; it held that the means were disproportionate to the ends. That proportionality test — borrowed in spirit from the European human rights tradition the UK has long endorsed — is precisely what is missing from Westminster's current consultation framing.
Pakistan's biometric SIM verification system, introduced in 2014 after the Peshawar school attack, similarly failed to deliver the security gains promised. Independent researchers have documented that militant networks adapted within months, while ordinary users — especially women, refugees, and rural residents without formal documents — were cut off from connectivity for extended periods.
The Pattern Westminster Should Read
Across these jurisdictions, three patterns recur, and each is directly relevant to the UK debate:
- Limited harm reduction. The criminal and fraudulent actors that identity mandates target are the most motivated to evade them. The compliance burden falls on the law-abiding majority.
- Honeypot risk. Aggregating identity data into a small number of mandatory chokepoints creates targets of irresistible value to attackers — state-sponsored and criminal alike. The 2023 Indonesian population registry leak and recurring Philippine telco breaches illustrate the cost.
- Exclusion of the vulnerable. Migrants, asylum-seekers, the unbanked, the housing-insecure, and survivors of domestic abuse are disproportionately harmed when identity verification becomes a precondition for everyday digital life.
A Pro-Innovation Path Forward
None of this means the UK should abandon identity modernisation. The case for better, faster, less paperwork-heavy ways to prove who you are when it genuinely matters — opening a bank account, accessing healthcare records, claiming benefits — is real. But the design choices matter enormously.
A proportionate approach would prioritise decentralised, selective-disclosure credentials built on open standards such as W3C Verifiable Credentials, where users can prove a specific attribute ("over 18", "UK resident") without revealing their full identity or generating a transaction log visible to the state. It would preserve robust alternatives for those who cannot or will not enrol. And it would draw a hard statutory line against function creep into law enforcement, immigration, or platform moderation — a line APAC's experience shows is otherwise impossible to hold.
The UK has historically been a leader in articulating that surveillance must be necessary and proportionate. Building a national Digital ID without the privacy-preserving architecture and statutory guardrails that principle demands would represent a sharp departure — and a costly one. Westminster has the unusual advantage of being able to study a decade of evidence from elsewhere before it commits. It should use it.