Irish and UK Government Digital Policy Moves: Expanded Surveillance Powers and In-House Digital ID Build
Ireland is considering legislation to expand law enforcement digital surveillance authorities, including stronger powers to intercept communications (explicitly including encrypted messages) and to create a clearer legal basis for police use of spyware. The proposal signals a shift toward more formalized state capabilities for communications interception and device compromise, with direct implications for privacy, lawful access, and the security expectations of end-to-end encrypted services.
In the UK, the government indicated that a new digital identity program is expected to be designed, built, and run by in-house government teams rather than outsourced to external suppliers, while declining to provide firm cost estimates ahead of a planned consultation. Ministers stated costs would be met within existing spending settlements, and the government pushed back on an external estimate (reported as £1.8B) pending consultation outcomes—raising governance, delivery-risk, and security-assurance questions for a large-scale identity platform even as detailed technical and budgetary specifics remain limited.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
UK government schedules February consultation on digital ID scheme
The government said a consultation on the digital identity program is planned for February, with final policy and cost decisions to follow that process. Officials also said inclusion measures would be needed for people without smartphones or with low digital confidence.
Ireland proposes law expanding police digital surveillance powers
Ireland proposed new legislation to broaden police digital surveillance authorities, including stronger powers to intercept communications and explicitly cover encrypted messages. The proposal would also create a legal basis for police use of spyware.
UK government drops compulsory digital ID element for new jobs
Ministers said they had abandoned an earlier proposal that would have made digital ID compulsory when starting a new job. Instead, the scheme is being positioned as one optional way to prove right-to-work eligibility through digital checks.
UK government outlines in-house digital ID plan to MPs
The UK government gave MPs limited details on its planned digital identity scheme, saying it expects the system to be designed, built, and run mainly by in-house government teams rather than outsourced. Ministers also said costs would be met within existing spending review settlements and that final cost decisions would follow further policy and design work.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ireland Proposes Communications Bill to Legalize Police Spyware and Expand Interception Powers
Ireland’s government announced plans to introduce the **Communications (Interception and Lawful Access) Bill**, a legislative overhaul intended to modernize the country’s lawful interception framework and explicitly provide a legal basis for law enforcement use of **spyware**. Officials said the existing **Postal Packets and Telecommunications Messages (Regulation) Act 1993** predates modern communications, particularly end-to-end encrypted messaging, and argued a new framework is needed to address serious crime and security threats while adding “robust” safeguards to ensure powers are necessary and proportionate. The proposed bill is described as covering **“all forms of communications, whether encrypted or not,”** and enabling access to both **content and metadata**, expanding scope to services and device categories such as electronic messaging platforms, email, and **IoT** communications. While the announcement emphasizes privacy/security safeguards and increased technical cooperation between state agencies and service providers, reporting notes it does not clearly explain the technical mechanism for accessing encrypted communications—an outcome that in practice often requires **device compromise** (e.g., government-grade spyware) or local forensic extraction tools (e.g., *Cellebrite*). The government also indicated alignment with the EU Commission’s roadmap on lawful access and encryption-related interception issues.
Mar 21, 2026
EU Digital Omnibus Proposals Face Privacy Watchdog Backlash Over GDPR Changes
European privacy watchdogs and digital rights advocates are pushing back against the European Commission’s proposed **“Digital Omnibus”** package, arguing that amendments billed as regulatory “streamlining” could **weaken EU privacy protections** and erode fundamental rights. Reported concerns focus on proposed changes to the **GDPR**, including narrowing the definition of **personal data** so that not all data that could potentially be linked to an identifiable person would qualify, alongside other adjustments intended to reduce compliance friction (e.g., reducing cookie banner requirements in some cases and simplifying multi-law breach notification processes). Separately, UK officials told Parliament that **legacy IT** is impeding implementation of technical controls meant to prevent repeats of the Ministry of Defence’s highly sensitive Afghan data exposure, where roughly **19,000** resettlement applicants’ details were compromised via a **CC instead of BCC** email error. The government’s Information Security Review recommended shifting cross-government information sharing away from email/attachments and toward source-based sharing, but ministers and the chief data officer cited departmental system fragmentation as a barrier to rolling out attachment-blocking and safer data-transfer mechanisms at scale.
Mar 21, 2026
Governments Expand Digital Surveillance Through Interception, Spyware, and Biometric Systems
Governments are broadening digital surveillance through a mix of network interception, lawful intercept platforms, deep packet inspection, mandatory data retention, endpoint spyware, platform monitoring, and public-space surveillance, according to a new risk assessment. The report highlights Russia’s opaque `SORM` model as a prominent example of state interception architecture and says Chinese and Russian surveillance technologies are being exported to multiple countries, extending these capabilities beyond their domestic markets. The assessment says commercial spyware including **Predator**, **Candiru**, **Pegasus**, and **Paragon** has been used against journalists, activists, and civil society, while newer laws and policies in countries such as Ecuador, Myanmar, Nicaragua, Vietnam, Cambodia, Kyrgyzstan, Russia, and Kazakhstan are expanding state access to communications, metadata, biometric records, and internet infrastructure. It also points to growing use of **Safe City** platforms, facial recognition, `IMSI` catchers, national messenger apps, digital ID systems, and centralized biometric databases, warning that weak oversight raises risks ranging from privacy abuses and human-rights violations to corporate espionage, zero-day exploitation, and exposure of sensitive personal data.
Jun 24, 2026