UK claims of digital ID cloud security likely come down to encryption, not location

A UK junior minister is holding up data residency as a factor in keeping digital identity information private and secure, and says the cloud servers storing and processing data for the new national digital ID will be located in the Kingdom.

Liberal Democrat MP Martin Wrigley asked in parliamentary question posed to the Cabinet Office what plans the department has to ensure the infrastructure is “under sovereign UK control.”

Junior Cabinet Office Minister Josh Simons replied that “Data associated with the digital ID system will be held and kept safe in secure cloud environments hosted in the United Kingdom.”

“The Government will work closely with expert stakeholders to make the programme effective, secure and inclusive, including taking insights from previous IT projects where appropriate,” Simons added.

It was Simons who wrote in a previous response that the government will consider in-person onboarding for the national ID, and “a digitally enabled physical alternative for those without access to technology.”

Both the UK Cabinet Office and the Department for Science, Innovation and Technology (DSIT), which are working together on the UK’s digital ID, have contracts for public cloud services from Amazon Web Services. Other government agencies use other U.S.-based cloud providers, Public Technology reports.

Competition and Markets Authority figures indicate AWS and Microsoft hold around 80 percent of the UK cloud market between them.

The government designated data centers as critical national infrastructure last year, which grants them special status as protected areas. But what about the data inside them?

Residency and jurisdiction

Opposition politicians have claimed an increased risk of breach, but usually in such vague terms (see Conservative MP David Davis claim that “the entire population’s entire data will be open to malevolent actors”) that they do no pinpoint any particular characteristic or characteristics of the system as inadequate.

Left to its own to determine how much specificity to share with the public and digital identity industry, the government has declined to explain the measure it will use to protect citizens’ data.

Further, what exactly it means for the digital ID data to be hosted in the UK is uncertain, given questions yet to be answered about the architecture of the system.

Andy Thornley, head of regulatory policy for UK fintech industry group Innovate Finance, writes for techUK that while critics fear the creation of a single central database, the new digital ID represents an opportunity to hand sovereignty over personal data back to individuals. The government has so far been clear that its intention is to create a decentralized digital ID system based on federated data.

“A decentralized identity model means your credentials – your data attributes, are stored securely on your device, in your digital wallet,” he points out.

Federated data would remain with individual departments, meaning the data the user-controlled digital ID is populated with will continue to be stored in whatever databases it currently resides in. Data residency, in other words, does not grant jurisdictional immunity.

Compulsion and encryption

The U.S. Cloud Act states that the U.S. government can compel domestic companies to hand over data regardless of where it is held, so long as the company has control over it. “Sovereign cloud” operations can also create legal and contractual borders around data, though these do not necessarily supersede laws like the Cloud Act.

But the UK government says that GOV.UK uses encryption to protect the data it stores and transmits (at least for its Notify service) wherever possible, meaning that most of the data AWS would be able to hand over is encrypted.

The issue has come up before in the context of UK policing data hosted in the cloud, as Microsoft admitted that the Cloud Act means it cannot guarantee policing data uploaded into Police Scotland’s Digital Evidence Sharing Capability would remain in the UK. Scottish Biometrics Commissioner Brian Plastow questioned the legality of the arrangement and invited an investigation by the Information Commissioner’s Office.

The UK government had at the time had already taken the position that “The supplier has no access to any of the data hosted in the AWS cloud.”

The UK government has already spent hundreds of millions of pounds with AWS, according to Public Technology.

In other words, the sensitive data that will be used to issue digital IDs is probably already stored in a cloud data center operated by an U.S.-based company subject to the Cloud Act. And the security of sensitive data stored in UK cloud data centers operated by American companies is already in dispute. But it’s probably fine, so long as you trust the UK government’s encryption, the U.S. government or Big Tech.

Article Topics

Amazon Web Services (AWS)  |  cloud services  |  data privacy  |  data protection  |  digital ID  |  digital ID infrastructure  |  encryption  |  tech sovereignty  |  UK digital ID