Big Brother Watch accuses HMRC of creating “biometric ID cards by the back door”

According to Big Brother Watch, Her Majesty’s Revenue and Customs (HMRC) has collected 5.1 million taxpayers’ voiceprints without their consent. Millions of callers to HMRC have been required to repeat the phrase: “My voice is my password” on an automated line before being able to access services. Big Brother Watch said taxpayers are being “railroaded into a mass ID scheme” as they’re not given the choice to opt in or out of a scheme that experts say breaches UK data protection laws.

Big Brother Watch submitted Freedom of Information requests revealing that this particular Government department has amassed a staggering 5.1 million voiceprints. However, HMRC has refused to disclose which other Government departments the voice IDs have been shared with, how the IDs are stored and used, whether it’s possible to delete a voice ID, which legal territory the data is kept in, how much the scheme has cost taxpayers or the legally-required privacy impact assessment.

The Information Commissioner’s Office (ICO) is now investigating the issue.

After members of the public raised concerns, Big Brother Watch tested the system and found that there’s no option for callers to opt out of the ID scheme or have their voiceprint securely deleted. HMRC’s automated line instructs callers: “I’ll need you to say exactly those words”… Callers who say “No” are repeatedly instructed by the automated line: “It’s important you repeat exactly the same phrase. Please say ‘My voice is my password’”.

Voice IDs identify taxpayers just by hearing their voice when they call HMRC’s helpline. Voice ID technology converts the sound and rhythm of each person’s voice into a uniquely identifying numerical pattern that’s as sensitive as a fingerprint. However, the security of voice ID has been disputed. The technology came under fire in 2017 when a BBC reporter tricked HSBC’s voice ID system into allowing access to a bank account.

Building ‘Big Brother Britain’

Silkie Carlo, director of Big Brother Watch, explained: “Taxpayers are being railroaded into a mass ID scheme that’s incredibly disturbing. The tax man is building ‘Big Brother Britain’ by imposing biometric ID cards on the public by the back door. The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by Government agencies across other areas of their private lives. HMRC should delete the 5 million voiceprints it has taken in this shady scheme, observe the law and show greater respect to the public.”

Pat Walshe, data protection law expert and director of Privacy Matters, added: “HMRC’s voiceprint scheme appears to be almost surreptitious and apparently fails to meet basic data protection principles. The non-transparent method of harvesting people’s data and significant questions of lawfulness are troubling. Given the significant number of citizens involved, and the potential for broader use of biometric voiceprints by Government agencies, the ICO could issue a notice requiring the temporary suspensions of the scheme.”

A spokesperson for HMRC said: “Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest Government and industry standards for security.”

Andrew Bud, founder and CEO of facial verification start-up iProov, commented: “Biometric authentication is the most user friendly and accessible way of determining whether a customer is in fact who they claim to be – just as humans would when at a customer service desk or at a border crossing, for example. Extensive studies have also highlighted just how effective these modern machine learning tools are at getting this right compared with humans. Privacy and trust are vital. There’s a big difference between biometric recognition, which identifies citizens sometimes without their knowledge, and biometric authentication that helps the citizen confirm their identity to their benefit and under their control. Every organisation offering this capability must adhere to the stringent regulations now in force to protect users’ privacy.”

Explicit consent

The General Data Protection Regulation (GDPR), which came into force across the European Union on 25 May, requires organisations to obtain explicit consent before they use biometric data (including voice recordings) to identify someone.

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, observed: “Being a Government entity, HMRC may be lawfully exempted from many regulatory requirements. The underlying purpose of data collection is probably perfectly legitimate and reasonable. However, the problem is whether HMRC is capable of duly securing the data.”

Kolochenko continued: “Voice samples usable for identification can be leveraged by attackers in sophisticated phishing attacks. Many European organisations become victims of fake phone calls allegedly from their management teams demanding to transfer funds, change shipment address or even to fire someone. Thus, such a database can be a very attractive bait for skilled cyber criminals. HMRC should therefore ascertain that the data is both properly encrypted and protected.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts