Privacy Campaign group Big Brother Watch has alleged that HMRC has, since January 2017, collected biometric voiceprints of over five million taxpayers without their express consent.
Biometric voiceprints of taxpayers, that are used to authenticate callers as they are unique to each individual, were also shared by HMRC with other government departments and services such as tax credits, self-assessments, pay as you earn, child benefits and National Insurance.
However, even though a taxpayer can, after going through a lengthy process, opt out of the Voice ID system, the taxpayer may not be successful in ensuring that his/her biometric voiceprint is deleted from HMRC's servers which, Big Brother Watch says, is in violation of GDPR.
As far as obtaining consent for collecting biometric voiceprint of a taxpayer is concerned, Big Brother Watch observed that the HMRC automated system literally forces a caller to provide a sample of his/her voice by repeatedly asking the caller to say "My voice is my password" without giving the caller any option to decline.
"Upon calling HMRC’s self-assessment helpline we were met with an automated system. After the account verification questions, the system demanded that we create a voice ID by repeating the phrase “my voice is my password”.
"Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database. In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”, the group said.
HMRC must delete biometric voiceprints
"The EU General Data Protection Regulation (GDPR), incorporated in UK law through the Data Protection Act 2018, prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless the there is a lawful basis under Article 6.
"However, because voiceprints are such sensitive data – and voice IDs are not necessary for dealing with tax issues – HMRC must also request the explicit consent of each taxpayer to enrol them in the scheme, as required by Article 9 of GDPR.
"However, HMRC has in fact railroaded taxpayers into this unprecedented ID scheme. On our analysis, that means HMRC must now delete this giant biometric database. We have registered a formal complaint with the ICO, which is now investigating," said Big Brother Watch, adding that HMRC did not provide citizens with real choice and control over how their data was collected or to opt out of such data collection.
The group added that HMRC refused to honour a Freedom of Information request made by it to ascertain if a taxpayer could get his/her Voice ID deleted. The refusal was made as per FOIA Exemption s31 (1) (a) – prejudice to the prevention or detection of crime, which suggests that taxpayers’ voiceprints are being used in ways they are not informed about.
Are biometric voiceprints secure enough?
Many taxpayers may not be aware of the fact that their biometric voiceprints are shared by HMRC with other departments and may be used by the government for the prevention or detection of crime. At the same time, they are not being provided the option to get their Voice IDs deleted, thereby breaching their rights under GDPR.
At the same time, questions may also be raised about the security of unique Voice IDs of millions of taxpayers that are stored in HMRC's servers. HMRC's servers aren't completely immune to cyber attacks and as such, such Voice IDs could be compromised anytime in the future.
For instance, in September of last year, security researcher Zemnmez revealed in detail how hackers could harvest sensitive financial information of citizens from the HMRC's tax filing website by exploiting two glaring flaws.
While one of the flaws made it possible for a hacker to use the HMRC website as a "forwarding service" to send users to any other malicious website, the other flaw enabled hackers to harvest detailed tax filing details and other financial information belonging to UK citizens.
Similarly, a minor vulnerability in HMRC's database could be exploited in future by hackers to gain access to biometric voiceprints of customers.
"Being a governmental entity, HMRC may be lawfully exempted from many regulatory requirements. The underlying purpose of data collection is probably perfectly legitimate and reasonable, however, the problem is whether HMRC is capable of duly securing the data," said Ilia Kolochenko, CEO and founder of High-Tech Bridge.
"Voice samples usable for identification can be leveraged by attackers in sophisticated phishing attacks. Today, many European organizations become victims of fake phone calls allegedly from their management demanding to transfer funds, change shipment address or even to fire someone.
"Thus, such a database can be a very attractive bait for skilled cybercriminals. HMRC should therefore ascertain that the data is properly encrypted and protected," he added.
According to Tom Harwood, CPO and Co-Founder at Aeriandi, the use of biometric voiceprints by HMRC to authenticate callers could itself be exploited by fraudsters to mimic the voices of citizens and to obtain sensitive information from HMRC's database.
"No security technology is 100% fool-proof, and it’s is now possible to cheat voice recognition systems. Voice synthesiser technology is a great example. It makes it possible to take an audio recording and alter it to include words and phrases the original speaker never spoke, thus making voice biometric authentication insecure.
"Organisations need additional technologies – beyond biometrics – to protect their customers. Fraud detection technology is the prime candidate. It looks at far more than the voiceprint of the user; it considers hundreds of other parameters to ensure the caller and the call is legitimate – everything from their location to the acoustic dimensions of the room they’re making the call from," he added.