UK’s Tax Agency Has Collected 5.1M Voice IDs Without Consent

HMRC, or Her Majesty’s Revenue and Customs, has in its possession the voice records of millions of Brits, a UK-based privacy and civil liberties group has said.

An investigation by Big Brother Watch, a non-profit, non-party British civil liberties and privacy campaigning organisation, revealed that HMRC, the UK’s tax agency, has collect biometric voiceprints of 5.1 million taxpayers without their consent.

The Story So Far…

Since January 2017, HMRC has been recording calls to the tax credits and self-assessment helplines and using the recordings to create voiceprints that it uses to identify callers in the future.

The function is marketed as an as an optional feature meant to improve customer service. The statement reads:

“HMRC will be encouraging customers who call to take advantage of the Voice ID service, but they can choose to opt-out and continue to use HMRC’s services in the usual way if they prefer.”

But during Big Brother Watch’s investigation, there were simply no instructions on how to opt out. The automated system asks the caller to create their voice ID by repeating the phrase “my voice is my password” before being able to access services. It did not offer them a choice.

To avoid creating a voice ID, a caller would be required to say “no” three times, something that Big Brother Watch discovered by chance, as it was not specified anywhere. What’s more, saying no three times would only skip creating the voice ID on that particular call. Call again and you will be asked again.

Users can opt out from using voice recognition for authentication, but only after recording it; the process to do so is also quite complicated. Finally, users can’t have their voice ID removed from the database.

What Is Voice ID?

Voice ID is a form of biometric identification and authentication, think of it as a voice fingerprint if you like. Voices are analyzed, voice patterns and rhythms are extracted and used to identify a specific person. The analysis takes into account over 100 behavioral and physical vocal traits, including the size and shape of the mouth, how fast a person talks, and how they intonate words. Each biometric voice ID is unique to each individual.

HMRC has refused to detail how a user could delete his voice recording; it also has not disclosed whether it shares the IDs it collected with other government departments or other 3rd parties.

How Is This Illegal?

HMRC’s practice is in clear violation of the General Data Protection Regulation which prohibits the processing of biometric data for the purpose of uniquely identifying a person unless the there is a lawful basis.

According to GDPR, HMRC must ask for explicit consent from each taxpayer to enroll them in the scheme, since voiceprints qualify as sensitive data and are not necessary for dealing with tax issues.

We must also note that in 2017, a BBC reporter was able to trick HSBC’s voice ID system into allowing him access to a bank account, disputing claims regarding the security offered by voice ID.

Big Brother Watch has registered a formal complaint with the UK’s Information Commissioner’s Office, or ICO, which is now investigating. Stay tuned!