According to Big Brother Watch, Her Majesty’s Revenue and Customs (HMRC) has collected 5.1 million taxpayers’ voiceprints without their consent. Millions of callers to HMRC have been required to repeat the phrase: “My voice is my password” on an automated line before being able to access services. Big Brother Watch said taxpayers are being “railroaded into a mass ID scheme” as they’re not given the choice to opt in or out of a scheme that experts say breaches UK data protection laws.
Big Brother Watch submitted Freedom of Information requests revealing that this particular Government department has amassed a staggering 5.1 million voiceprints. However, HMRC has refused to disclose which other Government departments the voice IDs have been shared with, how the IDs are stored and used, whether it’s possible to delete a voice ID, which legal territory the data is kept in, how much the scheme has cost taxpayers or the legally-required privacy impact assessment.
The Information Commissioner’s Office (ICO) is now investigating the issue.
After members of the public raised concerns, Big Brother Watch tested the system and found that there’s no option for callers to opt out of the ID scheme or have their voiceprint securely deleted. HMRC’s automated line instructs callers: “I’ll need you to say exactly those words”… Callers who say “No” are repeatedly instructed by the automated line: “It’s important you repeat exactly the same phrase. Please say ‘My voice is my password’”.
Voice IDs identify taxpayers just by hearing their voice when they call HMRC’s helpline. Voice ID technology converts the sound and rhythm of each person’s voice into a uniquely identifying numerical pattern that’s as sensitive as a fingerprint. However, the security of voice ID has been disputed. The technology came under fire in 2017 when a BBC reporter tricked HSBC’s voice ID system into allowing access to a bank account.
Building ‘Big Brother Britain’
Silkie Carlo, director of Big Brother Watch, explained: “Taxpayers are being railroaded into a mass ID scheme that’s incredibly disturbing. The tax man is building ‘Big Brother Britain’ by imposing biometric ID cards on the public by the back door. The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by Government agencies across other areas of their private lives. HMRC should delete the 5 million voiceprints it has taken in this shady scheme, observe the law and show greater respect to the public.”
Pat Walshe, data protection law expert and director of Privacy Matters, added: “HMRC’s voiceprint scheme appears to be almost surreptitious and apparently fails to meet basic data protection principles. The non-transparent method of harvesting people’s data and significant questions of lawfulness are troubling. Given the significant number of citizens involved, and the potential for broader use of biometric voiceprints by Government agencies, the ICO could issue a notice requiring the temporary suspensions of the scheme.”
A spokesperson for HMRC said: “Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest Government and industry standards for security.”
Andrew Bud, founder and CEO of facial verification start-up iProov, commented: “Biometric authentication is the most user friendly and accessible way of determining whether a customer is in fact who they claim to be – just as humans would when at a customer service desk or at a border crossing, for example. Extensive studies have also highlighted just how effective these modern machine learning tools are at getting this right compared with humans. Privacy and trust are vital. There’s a big difference between biometric recognition, which identifies citizens sometimes without their knowledge, and biometric authentication that helps the citizen confirm their identity to their benefit and under their control. Every organisation offering this capability must adhere to the stringent regulations now in force to protect users’ privacy.”
The General Data Protection Regulation (GDPR), which came into force across the European Union on 25 May, requires organisations to obtain explicit consent before they use biometric data (including voice recordings) to identify someone.
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, observed: “Being a Government entity, HMRC may be lawfully exempted from many regulatory requirements. The underlying purpose of data collection is probably perfectly legitimate and reasonable. However, the problem is whether HMRC is capable of duly securing the data.”
Kolochenko continued: “Voice samples usable for identification can be leveraged by attackers in sophisticated phishing attacks. Many European organisations become victims of fake phone calls allegedly from their management teams demanding to transfer funds, change shipment address or even to fire someone. Thus, such a database can be a very attractive bait for skilled cyber criminals. HMRC should therefore ascertain that the data is both properly encrypted and protected.”