Convenience is the pitch. Concentration is the cost.
A national digital ID is sold on convenience: one credential, on your phone, for work, for services, for the age checks that now guard half the internet. The convenience is real. The half of the sentence that never makes the poster is just as real. One credential for everything is also one place where everything can go wrong at once.
A single place to lose all of it
Put your name, date of birth, photo, residency status, and a record of everywhere you use the thing into one linked system, and you have built something worth more to an attacker than any single company's database. Security people have a plain word for a store of valuable data that concentrates risk in one spot: a honeypot. A national identity system is the largest honeypot a country can build, and the most attractive target it can offer.
It has already happened
Governments are not better than companies at holding data. Often they hold more of it, for longer, with less that you can do about it.
The evidence is already on the record. A leaked UK Ministry of Defence relocation list exposed tens of thousands of Afghans who had helped British forces, including the officials whose safety depended on never being on a list at all. Estonia's national ID system was breached and hundreds of thousands of identity photos taken. India's Aadhaar, a biometric ID scheme, had records reportedly offered around for the price of a coffee. None of those were the imagined worst case. They already happened, to systems built by serious institutions making the same assurances.
You cannot reissue your face
A leaked password is a minute's work to change. A biometric bound to your legal identity is not. It is you, permanently, and you only get the one. Once a system that ties your identity to your biometrics leaks, there is no reset and no recourse, no new number to request, no account to close. The campaigners who fought the hardest against one such scheme kept returning to exactly this point, because it is the part that cannot be undone.
And every use is a line in a logbook
A card sits in a wallet and says nothing. A credential you present everywhere can record where you presented it. Each use is a data point: this person, this place, this moment. Collect enough of them and you no longer have an ID, you have a running account of a life, one that can be searched, sorted, and cross-referenced long after the fact. That is the quiet difference between an identity document and an identity system. The first proves who you are. The second also remembers everywhere you went to prove it.
"Voluntary" is doing a lot of work
Give the public credit: when the UK floated one such plan as mandatory, nearly three million people signed a petition against it in a matter of months, and the government dropped the compulsory element. That was a genuine win, and worth saying so.
But read what was conceded and what was not. The compulsion went. The infrastructure, the database, the wallet, the network of checks, is still being built. "Voluntary" is the easiest word in the language to revise later: voluntary today, the path of least resistance tomorrow, the only practical option the day after. A capability that exists tends to get used.
Intent is beside the point
A government does not have to mean you harm for this to be dangerous. A breach does not care about intent. Neither does the next administration, or the next contractor handed the keys. The danger here is structural: a single linked store of identity, plus a log of its use, is dangerous in exact proportion to how complete it is, regardless of who is holding it today or what they currently intend to do with it.
You can't object to the state. But the capture is already happening, at the companies you chose.
Here is where the fear turns into something you can do, and it does not wait for the national ID to arrive.
You cannot file an objection against a government department, and the ID is not here yet anyway. But your identity is already being taken, just not by the state. It is taken by the companies you use: every service that now makes you prove who you are, and from each of those first points it is handed down a chain you cannot see, to verifiers you never picked, to processors, to partners. A national ID would only centralise what these companies already do in scattered pieces. The danger was never one stray detail. It is all of them, collected and linked back into a single profile, which is exactly what a central record is.
So work the point where the leverage is still yours: the company you chose. It is the one you have an account with, the one you can question, limit, ask to delete, and leave. You did not pick the verifier downstream. You did pick the service that sent you there.
And the move there is small and concrete. For each company that holds you, there are three things worth doing: ask what they actually hold, tell them to use it only to run the service and stop feeding it to ad networks, brokers and model training, and, if you are leaving, ask them to delete it and hold them to the answer. None of that makes you vanish. What it does is stop the scatter from growing, and keep a record of who has what, so the day a piece of you surfaces where it should not, you can name who let it go.
A state can build a record of everyone. You build the one that names who holds you, starting with the companies you chose. It is the same discipline behind deletion never being the clean moment it sounds like and every privacy policy reading the same way. The infrastructure is being built either way. Build your half of it. Start your record →