Her Majesty’s Revenue and Customs (HMRC) has been accused of “imposing biometric ID cards on the public by the back door” over its use of voice ID.
Freedom of information requests submitted by privacy campaign group Big Brother Watch have shown that 5.1 million audio signatures have been collected by HMRC’s Voice ID system. This system allows users to access their account by repeating the phrase “my voice is my password”, which is checked against an initial recording (made on registration for the service) to verify the caller’s identity.
Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing […] These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives.
– Silkie Carlo, Director, Big Brother Watch
A spokesperson for HMRC emphasised that callers could choose not to use the Voice ID system, and that the system is “very popular” as it speeds up security and identification processes.
However, Big Brother Watch claims that callers are not presented with alternatives to participation in the system, are not asked to opt in (or given an opportunity to opt out), and are not given information on how to have their voice ID deleted.
“Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing. The tax man is building Big Brother Britain by imposing biometric ID cards on the public by the back door,” said Silkie Carlo, director of Big Brother Watch. “The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives. HMRC should delete the 5 million voiceprints they’ve taken in this shady scheme, observe the law and show greater respect to the public.”
The group also points out that the security of voice ID has been called into question before, referring to an incident last year in which a BBC reporter and his twin were able to fool HSBC’s voice ID system. Though it’s not clear exactly how similar the two systems are, both used the phrase “my voice is my password” to identify callers.
The non-transparent manner harvesting of people’s data and significant questions of lawfulness are troubling.
– Pat Walshe, Director, Privacy Matters
According to Big Brother Watch, HMRC refused to disclose which other Government departments the voice IDs have been shared with, how the IDs are stored and used, which legal territory the data is kept in, how much the scheme has cost taxpayers, or the legally-required ‘privacy impact assessment’. HMRC did reassure customers that the data is stored securely, though it didn’t elaborate.
HMRC’s response to the second FOI request submitted by Big Brother Watch said that “if a customer wishes to opt out of Voice ID they tell an advisor that they wish to opt out and whether they would like their voiceprint to be deleted.” Further details were not given.
Biometric data such as a voice ID falls under ‘special category’ data as described in Article 9(2) of the GDPR, and therefore its storage and use require additional justification. It is not immediately clear which lawful basis HMRC would be able to claim.
Responding to an FOI request, the organisation said that it “currently operates Voice ID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.”
“HMRC’s voiceprint scheme appears to be almost surreptitious, failing to meet basic data protection principles. The non-transparent manner harvesting of people’s data and significant questions of lawfulness are troubling,” said Pat Walshe, data protection law expert and director of Privacy Matters. “Given the significant number of citizens involved, and the potential for broader use of biometric voiceprints by government agencies, the ICO could issue a notice requiring the temporary suspensions of the scheme.”
The ICO has said that it is looking into the complaints.