Digital IDs_ 50 countries ranked by digital ID requirements and use

Digital IDs are hailed as a convenient way to prevent identity theft, access key services (e.g., health and social welfare benefits), and create efficient systems. And, as the UK government is hoping to demonstrate, they may also help combat illegal immigration by making digital IDs a mandatory requirement for those seeking work.

But what about the privacy implications of these IDs and the risk of function creep?

For example, the UK government is one of the only governments planning to make its digital ID mandatory for a certain group of the population. In other countries, citizens often have a choice as to whether they sign up for the digital ID. Residents in a number of countries might not be able to access key services without their digital ID, but it often isn’t a legal requirement to have one.

In the UK, 75 percent of the adult population who are employed will need a digital ID. Only job seekers will need the digital ID to start, but over time, most of the population could need it to access crucial services.

In opposition, more than 2.9 million people signed the UK’s “Do not introduce Digital ID cards” petition.

To find out which countries already have such systems in place and how invasive these are, our team examined the top 50 countries by GDP. For countries with a digital ID scheme, we noted the purpose of the ID, what data is collected to create these systems, and what the digital IDs are used for in each. We scored countries on a scale of 33 points. Lower scores indicate a more limiting and invasive use of the identification system, while higher scores indicate a less restrictive, more privacy-conscious approach to digital IDs.

This time around, we also looked at the privacy and security of the Android apps connected to a country’s digital ID (where applicable). We analyzed these to see how many permissions the apps are requesting and how many of these are potentially high-level or “dangerous” (see the app security section for more information). We also examined how many trackers each app has.

What is a digital ID?

Before we get stuck in, let’s clarify what we mean by digital ID. We’re using the definition offered by Moody’s, which describes a digital ID as a “secure mobile application that stores multiple verified credentials in one place.” These credentials include digitized versions of physical documents, such as a national ID, a passport, vaccination certificates, or a driving license.

Users can choose which element of this compound identity to share, as and when it’s required. For example, a person can just choose to share their name. This is different from using an electronic ID card, where the person would also expose other information, such as a photo, signature, or their date of birth. We make this distinction because electronic ID cards are often referred to as digital IDs.

Key findings

Out of the 50 countries we analyzed:

  • 37 countries have implemented digital ID schemes
  • Of the 13 countries without fully-fledged digital ID schemes, nine are in the process of creating them, including the UK
  • Seven countries with digital IDs rely on a centralized database for verifying credentials
  • The UK is the only country planning to make its digital ID mandatory for certain tasks (in this case, getting a job)
  • Every EU (and EEA) country is required to have a digital ID by the end of 2026
  • The majority of digital IDs are designed for access to government services, such as benefits, with many also being linked to banking and healthcare
  • The Philippines’ digital ID app for Android (eGovPH) requested the most (15) potentially dangerous runtime permissions overall
  • The United Arab Emirates’ UAE Pass app contained the most trackers (seven in total)

Please note: As the UK’s digital ID, BritCard, is still being finalized, it hasn’t been included in our overall scoring. But we have highlighted where it would appear in the scoring system based on the information currently available.

The worst countries for digital ID requirements and use

The following countries received the lowest scores, which means their use of digital IDs are potentially invasive, limiting, and lacking in data privacy.

China = 12.5/33

China is the worst-scoring country overall. It introduced its National Online Identity Authentication App in July 2025 via the 16-article Internet ID regulations. Users are required to register with their national identification card and facial recognition. This data is then stored on a centralized database (0 points).

Furthermore, China doesn’t have a single comprehensive data protection law, relying instead on various laws and regulations (0.5 points). According to the Linklaters law firm, “disclosure obligations under Chinese law override personal data protection laws.” This is borne out by Article 11 of the regulations, which introduces exemptions from data protection for “confidential” matters.

Once registered with the National Online Identity Authentication App, users are provided with a “web number” and “web certificate” that can be used to verify their identity when accessing government services and online portals.

While the regulations say that app registration is voluntary, campaign groups believe it is likely to become essential. Public and private services are encouraged to adopt it into their authentication flows, and several big-name platforms are already on board. These include Weixin (WeChat), Xiaohongshu (RedNote), Taobao, and Zhaopin.

Nigeria = 14/33

Nigeria’s new NINAuth app is designed to provide Nigerians with simplified access to government services. To get the app, users must have a National Identification Number (NIN), which involves the government taking 10 fingerprints, a photo, and a digital signature. Such data is then stored in the National Identity Database run by the National Identity Management Commission (NIMC).

While obtaining a NIN isn’t mandatory, it may as well be. Legislation is in place that makes a NIN compulsory for everything from accessing healthcare to attending school.

UAE and Pakistan = 15/33

The UAE utilizes UAE Pass to provide access to more than 12,000 services from the government and private sector. In addition, its vault allows users to store and share digital documents. To use the UAE Pass app, users are required to have an Emirates ID, which is a government-issued identity card for citizens and residents.

In 2023, the Ministry of Industry and Advanced Technology (MoIAT) made the app mandatory for people who want to access its industrial, standards, conformity, and national accreditation services. In 2024, the Ministry of Human Resources and Emiratisation (Mohre) made UAE Pass mandatory for those wishing to log in to its platforms.

In Pakistan, the Pak ID mobile app reduces the need for citizens to visit the offices of NADRA (National Database & Registration Authority). To use it, users must submit either fingerprints or facial captures to be verified by NADRA. Users have reported issues with both methods. Pakistan has failed to introduce an adequate data protection law (0 points) and its centralized biometric database is used by the police.

Singapore, Denmark, Norway, and Spain = 16/33

Singapore’s digital ID, Singpass, is used by approximately 97% of adults in the city-state. The app isn’t mandatory, though day-to-day life can be difficult without it. Singpass works in conjunction with an autofill form system called MyInfo. Once Singpass has authenticated a user, the MyInfo platform extracts data from the relevant government agency to prefill the form with all of the necessary information required to carry out a certain task, e.g. open a bank account.

Singpass does collect data and third parties may access it. Although 2FA is mandatory, there have been reports of people selling their credentials for use by scammers.

As previously mentioned, EU countries are required to have digital IDs by the end of 2026. Denmark, Norway, and Spain are three countries that have already implemented their own schemes.

Denmark’s digital identity system, MitID, was introduced in 2021 and is now a key part of Danish life. In Norway, citizens primarily use the BankID app for digital identification when accessing public services and for secure online transactions.

BankID is operated by a private company, while MitID is a public-private partnership. This involvement of the private sector is relatively unusual from a global perspective. Most digital IDs, such as Spain’s MiDNI, are developed by the government.

Based on our understanding of the planned implementation of BritCard in the UK, this would also likely score 16 points within our ratings, making it one of the top 10 most invasive digital IDs in place. This is due, in part, to it being compulsory for a large number of people and the data being stored on a centralized database.

Other mentions

India = 17/33

India’s mAadhaar app provides a digital version of the Aadhaar identity card. As such, it draws from the centralized Aadhaar database, which is the largest of its kind in the world. Aadhaar is a prime example of how digital identification systems can lead to huge data breaches. In late 2023, the data of 815 million Indians was leaked on the dark web. Stolen information included names, addresses, phone numbers, passport information, and Aadhaar numbers. Worse still, the database was also compromised in 2018.

Saudi Arabia = 18/33

Saudi Arabia’s digital ID app, Absher, is the default portal for official government services, so it’s used by most Saudi citizens and residents with a national ID (Iqama). Absher isn’t mandatory, but it does demonstrate how digital IDs can be used for all the wrong reasons.

For example, Absher can be used to issue travel permits. Reports suggest this feature has been used by male users to track female ‘dependents’ when they present travel documents at the border. In some cases, male guardians revoked travel permits via the app.

Even though the app doesn’t provide real-time tracking, it can effectively allow men to control women’s movements.

Countries without Digital IDs

The following countries do not have digital IDs, though the majority are in the process of implementing them:

  • Egypt – The Central Bank of Egypt is launching a digital identity app to make it easier to access services.
  • Finland – The country’s Digital and Population Data Services Agency is creating a digital identity wallet, which will be available by late 2026.
  • Mexico – Digital IDs look set to come into place soon as many discussions are underway and legislation is in progress.
  • Russia – The state-backed mandatory ‘super app’, Max, launched a test version of its digital identity feature in September 2025.
  • Iran – Discussions are in place with digital IDs for rations mentioned. UID, an Iranian digital ID and biometrics firm, also offers e-KYC solutions for businesses and operates a live biometric system for the police.
  • Ireland – The Irish government completed the pilot of its digital identity wallet in August 2025, with an official launch planned by the end of 2025.
  • Canada – Trials of digital IDs have been made in certain regions but nothing national has been put in place.
  • Japan – As of June 2025, the country’s electronic ID card can be used in Apple Wallet on an iPhone.
  • Israel – The country has a biometric identity card but no digital ID wallet.
  • South Africa – The South African government plans to introduce a single digital ID system before the country’s next elections in 2029.
  • Taiwan – The Taiwanese government unveiled the prototype of its digital identity wallet in early 2025.
  • United States – While several states are looking toward digital IDs, nothing national has been introduced. This month, Apple launched a digital ID feature for US passport holders. This can be used for domestic flights at around 250 airports.
  • United Kingdom – This year, the UK announced a new digital ID scheme, which will be compulsory for anyone wanting to work. Plans are in place to implement this before August 2029.

You can read more about the UK’s digital ID and what the privacy concerns are here.

Why should we be concerned about digital IDs?

Digital IDs can limit citizens’ access to key services and are vulnerable to abuse. From the risk of data breaches to increased surveillance, digital IDs pose a concerning risk to the privacy of citizens.

Digital IDs draw their data from one or more government databases. Such databases contain a wealth of personal information that’s naturally attractive to hackers. Disruptions can have widespread effects, such as the cyber attack that blocked access to Poland’s central PESEL (Universal Electronic System for Registration of the Population) registry, which is used to verify identities across a range of public services.

Having a digital ID system in place enables governments to track citizens’ movements, financial activities, healthcare records, and more. Often, these digital ID schemes are brought into place without adequate data protection or legislation. Or, they are being introduced in areas where access to the internet is limited, which immediately isolates a large number of people.

Equally, digital IDs introduced under the guise of a particular scheme risk function creep, when the system expands beyond its original purpose into a mandatory and ultimately invasive method of control. For example, the UK government has said its digital IDs won’t be used for accessing health or welfare payments. However, it is integrating digital IDs with government services, so “in time” they may help speed up applications for driving licences, childcare, and welfare.

Digital IDs can also be interconnected between countries. For example, the EU is in the process of creating the European Digital Identity. This will allow citizens to do various things, including identifying themselves, signing things electronically, booking hotel accommodation online, opening bank accounts, authenticating payments, and submitting tax declarations.

Digital IDs may be the ‘future’, but without careful consideration and clear policies in place, they put citizens’ data, privacy, and freedom at increased risk.

How secure are digital ID apps?

Given that citizens use digital IDs to access their most personal information, we thought we’d look at exactly how secure and private the apps were. We analyzed 33 digital ID apps currently available via the Google Play Store. We did this by examining the individual manifests of each of the apps. We were particularly interested in the number of trackers each app employed and the number of high-level or “dangerous” permissions they requested.

High-level, “dangerous” permissions

Android classes a permission as being “dangerous” if it gives your “app additional access to restricted data or lets your app perform restricted actions that more substantially affect the system and other apps.” This includes those that request access to one or more of the following groups: body sensors, calendar, calling, camera, contacts, GPS location, microphone, storage, and texting.

While some of these are needed for the functioning of the app, such as camera access for facial verification. Others are harder to justify. For example, requiring access to a user’s precise location seems excessive when users’ general location can be established using network-based sources, such as cell towers and Wi-Fi networks.

Across the 33 apps we tested, the most requested permissions were:

  • CAMERA – Gives the app access to the camera function of the device
  • READ_EXTERNAL_STORAGE – Allows the app to read data saved in external storage on the device (e.g. outside of the app)
  • WRITE_EXTERNAL_STORAGE – Allows the app to write data to external storage on the device (e.g. outside of the app)
  • ACCESS_FINE_LOCATION – Gives the app access to the location of the device, accurate to within about 50 meters
  • ACCESS_COARSE_LOCATION – Gives the app access to the location of the device, accurate to within about 3 square kilometers

The Philippines’ digital ID (eGovPH) requested the most potentially dangerous permissions overall (15). These included access requests for images and videos stored on the user’s device, as well as requests for GPS and Bluetooth functionality (which itself can be used to build up user location profiles). The digital ID apps from Chile (Identificación Digital) and Colombia (Cédula Digital) both requested 12 potentially dangerous permissions each – including access to “fine” location, camera, Bluetooth, and external storage.

These apps all make it clear which permissions they will request under the ‘Permissions’ heading of the ‘About this app’ section in the Google Play Store, but that doesn’t necessarily tally with each app’s privacy policy (accessible via the ‘App support’ section of the Google Play Store). For example, neither the Cédula Digital (Colombia) or Identificación Digital (Chile) apps mention asking users for access to their GPS. The eGovPH (Philippines) app does, but gives no justification for why it collects this data.

Trackers

Trackers are code embedded into an app to collect data. 10 of the 33 apps we analyzed had no trackers, which is the ideal scenario. The app with the most trackers was the United Arab Emirates’ UAE Pass, which had seven in total.

One of the trackers embedded is for Huawei Mobile Services (HMS) Core, which is a collection of proprietary services, APIs, and tools by Huawei that provide basic services for mobile devices (like Google Mobile Services). It can involve the collection of biometric information, among other data. This is contrary to its developers’ claims (via the Google Play Store) that the app doesn’t share data with third parties. Singapore’s Singpass app and Malaysia’s MyDigital ID app also embed a Huawei tracker.

Huawei says that personal data is processed and analyzed on your device “wherever possible”, and that “efforts” are made to ensure users know how the data will be used and how to opt out. While the presence of the Huawei Mobile Services (HMS) Core tracker isn’t inherently malicious, it’s worth noting that Huawei telecommunications equipment is considered a national security risk by several countries, including the US, Australia, New Zealand, and the UK.

Poland’s mObywatel app contained the next-highest tracker count (6). We were disappointed to see that one of its six trackers was for Facebook Login. Allowing users to authenticate using their Facebook account seems questionable for a government-issued app, particularly when doing so gives Facebook insights into the use of said app. The presence of the Facebook tracker again seems to contradict the developers’ assertion on the Google Play Store that user data isn’t shared with third parties.

Methodology

Our research focused on the top 50 countries by GDP (as of October 2025). We looked at the most widely used digital ID app in each country. Where countries had more than one app available, we focused on the one that’s most widely used. To give the countries a score out of 33, we created 16 categories with various scores for each. These were as follows:

  • Does the country have a digital ID?
    • Yes = 0
    • In progress (for 2025) = 1
    • Trialing/in progress but no legislation etc. = 2
    • No = 3
  • Is the digital ID mandatory for all citizens?
    • Yes = 0
    • Most citizens (age limit, e.g. 14+, or no access to certain services without) = 1
    • No = 2
  • Not mandatory but heavily restricted without (Yes = 0, No = 1)
    • Yes = 0
    • No = 1
  • Is personal data, e.g. names, dates of birth, or addresses, stored in the digital ID? This includes where the digital ID is just available via an app.
    • Yes = 0
    • No = 1
  • Are biometrics stored in the digital ID? This includes where the digital ID is just available via an app.
    • Yes – fingerprints (and possibly photos/facial scans) = 0
    • Yes – photos only = 1
    • No but linked to a biometric ID card = 2
    • No = 3
  • Has the country failed to introduce legislation to protect biometric data?
    • Yes = 0
    • Some provisions = 0.5
    • No = 1
  • What are the digital IDs used for?
    • Government services = Yes – 0, Yes – not compulsory – 1, No – 2
    • Right to work = Yes – compulsory (0), Yes – not compulsory (1), Not used (2)
    • Access to government benefits/aid = Yes – compulsory (0), Yes – not compulsory (1), Not used (2)
    • Healthcare = Yes – compulsory (0), Yes – not compulsory (1), Not used (2)
    • Banking = Yes – compulsory (0), Yes – not compulsory (1), Not used (2)
    • Education = Yes – compulsory (0), Yes – not compulsory (some travel, e.g. booking local trains (1), Not used (2)
  • Is the app connected to a centralized database?
    • Yes = 0
    • No = 1
  • Are third parties granted access to this data via the app?
    • Yes = 0
    • With consent = 1
    • No = 2
  • What is the data storage period for the app?
    • Not stated = 0
    • Until no longer needed/the app is deleted = 1
    • Over five years = 2
    • 1 to 5 years = 3
    • Less than a year = 4
    • Not stored = 5
  • Does the app use two-factor authentication?
    • No = 0
    • Optional = 1
    • Compulsory = 2

For the digital IDs available via Google Play, we examined the individual manifests of each app to see which permissions the apps were requesting. We assigned these into two categories – “normal” and “high level.” The trackers used by each app were drawn from an analysis of the respective app’s APK file.

Note that this study differs from our research published in 2023 in that it specifically looks at digital ID apps. Our previous research had a broader scope, incorporating digital ID apps (such as Singapore’s SingPass) as well as physical digital ID cards (such as Pakistan’s Computerized National Identity Card (CNIC)). The updated scoring reflects this narrower focus.

For a full list of sources, please request access here (stating your name and interest in the data – any requests without won’t be granted).