HMRC collected voiceprints of 5.1 million UK taxpayers

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

Her Majesty’s Revenue and Customs (HMRC) has collected voiceprints of some 5.1 million UK taxpayers without their explicit consent, and won’t reveal whether these IDs are shared with other government departments.

HMRC voiceprints

How does HMRC create voiceprints?

Taxpayers who call the tax credits and self-assessment helplines are urged to repeat the phrase, “My voice is my password” before being able to access services. The recording is used to create a Voice ID of the user and that is used to simplify the use and improve the security of their accounts.

But the scheme does no give callers a clear option to opt out of this collection. According to UK-based privacy and civil liberties pressure group Big Brother Watch, callers that say “no” are repeatedly instructed by the automated line, “It’s important you repeat exactly the same phrase. Please say ‘My voice is my password’”. Only after the caller has said “no” three times the system resolves to create the voice ID “next time”.

Callers are not been given the option to not enroll and there is no clear way to ask that their voiceprint is deleted.

“Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing. The tax man is building Big Brother Britain by imposing biometric ID cards on the public by the back door,” says Silkie Carlo, director of Big Brother Watch.

“These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives. HMRC should delete the 5 million voiceprints they’ve taken in this shady scheme, observe the law and show greater respect to the public.”

Freedom of Information requests

The group submitted a Freedom of Information request to discover details about this scheme, which was implemented in January 2017.

While the HMRC claims the Voice ID data storage “meets the highest government and industry standards for security, it refused to disclose how exactly the IDs are stored and used, which legal territory the data is kept in, whether it is possible to delete a voice ID, how much the scheme has cost taxpayers, or a copy of the legally-required privacy impact assessment of the scheme.

A second FoI request revealed the number of users currently enrolled with a Voice ID (5.1 million) and that “if a customer wishes to opt out of Voice ID they tell an advisor that they wish to opt out and whether they would like their voiceprint to be deleted.”

HMRC declined to explain the erasure process of the Voice ID fingerprint, but admitted that it “currently operates Voice ID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.”

This means that they are likely falling afoul of the GDPR, which requires that users must be given a real choice and that consent for such a biometric data collection scheme must be explicitly given. Also, that they users the right to have their personal data erased if their data has been processed unlawfully.

“All voiceprints processed without the explicit consent of the individual should be erased. Moreover, this erasure must be a secure and complete removal from HMRC’s system and any other third party – such as other Government departments – the IDs have been shared with. Even if an individual consents to data collection, they have the right to withdraw their consent at any time and request that their data is securely erased,” the organization noted.

Big Brother Watch has registered a formal complaint with the Information Commissioner’s Office (UK’s national data protection authority) and they are now investigating.