HMRC used ‘implied consent’ to collect voiceprints of five million citizens
ICO investigating tax agency after investigation by advocacy group Big Brother Watch
The Information Commissioner’s Office is investigating a complaint made against HM Revenue and Customs, after the department used an “implied consent” model to collect voice identification information on more than five million citizens.
Responding to a Freedom of Information request from the privacy advocacy group Big Brother Watch, HMRC said that, as of 13 March 2018, 5.1 million citizens were enrolled on its voice ID scheme. The department also said that these identifications had been collected “on the basis of the implied consent of the customer” – although a process of explicit consent is being developed, it added.
A call transcript provided by Big Brother Watch indicates that callers to HMRC’s self-assessment helpline are automatically prompted to say the phrase “my voice is my password”, with no option given to decline to provide a voice ID. The only way to avoid doing so, according to Big Brother Watch, is to refuse to say the phrase or say ‘no’ instead three times in a row. At which point the automated system tells callers they can “try again” to create a voice ID next time they call.
When asked under FOI about the process by which citizens can opt out of the voice ID programme, HMRC said that “if a customer wishes to opt out of VoiceID, they tell an advisor that they wish to opt out, and whether they would like their voiceprint to be deleted”.
- HMRC trials voice ID
- We all have something to hide – and the government must let us
- Report claims facial recognition is 95% inaccurate
A further call transcript provided by Big Brother Watch also shows that, after waiting 15 minutes to be connected to an advisor, a caller to HMRC was put on hold for a further 10 minutes while the adviser looked into their request to have their voice ID removed from the department’s systems. The adviser was then able, on the caller’s behalf, to opt out of using voice ID for all applicable HMRC services.
But the adviser claimed that deleting the caller’s voice data entirely is “not something that I would be able to do” over the phone, according to Big Brother Watch. After another lengthy period on hold, the caller is advised that, if they wish to completely delete their voice ID, they must go online and fill out an HMRC Subject Access Request form.
Big Brother Watch also used FOI requests to ask HMRC to provide info on where and by whom the voice ID data is stored, what agencies have access to it, what “procedural guidelines” govern the storage, access, and use of the data, and how much has been spent on installing and maintaining the necessary technology. The department was also asked by the activist group to provide details of the privacy impact assessment undertaken in advance of implementing the voice ID scheme.
HMRC declined to provide responses to any of these questions, citing FOI Act exemptions under the possibility of prejudice to the prevention or detection of crime and, in the case of enquiry regarding spending, commercial interest exemptions.
The department did, however, respond to confirm that it has not yet consulted the Biometrics Commissioner about the voice ID programme.
Big Brother Watch has filed a complaint against HMRC with the ICO – the UK’s data-protection watchdog.
An ICO spokesperson said: “We have received a complaint about HMRC’s voice ID scheme and will be making enquiries.”
Silkie Carlo, director of Big Brother Watch, said that “HMRC should delete the five million voiceprints they’ve taken in this shady scheme, observe the law, and show greater respect to the public”.
“Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing. The tax man is building big brother Britain by imposing biometric ID cards on the public by the back door,” she added. “The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives.”
An HMRC spokesperson said: “Our voice ID system is very popular with customers, as it gives a quick and secure route into our systems. The voice ID data storage meets the highest government and industry standards for security.”
Coronavirus could be a boon for cybercriminals, but could also be an ideal time for organisations to tune up their security, writes Henry Asson of the PublicTechnology events series
NCSC sets up reporting hub and asks public to shop suspected fraudsters
Report commissioned after New Year Honours blunder cites need for greater senior accountability and finds widespread use of free consumer tools
PHE also reveals outsourcers Serco and Sitel will process sensitive information and claims length of retention is ‘because Covid-19 is a new disease’
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
CyberArk's John Hurst looks at the true cost of GDPR breaches