The voices of over 5.1 million British citizens have reportedly been stored in the Voice ID system of Her Majesty’s Revenue and Customs (HMRC) without taxpayers’ consent or knowledge, a British privacy advocacy firm said.
In January 2017, the HMRC launched its Voice ID service to verify a caller’s identity while getting in touch with the agency via its customer support service. However, privacy advocacy firm Big Brother points out that callers are not given a clear opt-out option. Instead, callers are forced to follow the automated instructions in order to continue, creating a biometric voice ID for the government database.
“Upon calling HMRC’s self-assessment helpline we were met with an automated system. After the account verification questions, the system demanded that we create a voice ID by repeating the phrase ‘my voice is my password’", Big Brother said in the blog post. “Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database.
“In our investigation, we found that the only way to avoid creating a voice ID is to say ‘no’ to the system – three times – before the system resolves to create your voice ID ‘next time’.”
Meanwhile, the HMRC has confirmed to recording voices but argued customers have not been using the opt-out feature.
The incident comes just weeks after Europe’s strict GDPR data privacy regulations went into effect. The issue is now being investigated by ICO (Information Commissioner's Office). If found to be in violation of GDPR, the HMRC could potentially face a hefty fine.
According to the Article 9 of GDPR, users must give explicit consent to the processing of their personal data for one or more specified purposes. However, HMRC did not obtain the consent from users, Big Brother said.
The group has called on the HMRC to delete its massive database of voice IDs and “at the very least, it must publish accessible information as to how individuals can easily and secure. lt have their voiceprint deleted.”
“Individuals have the right to have their personal data erased if their data has been processed unlawfully. We believe it is very likely to apply in relation to HMRC’s voice ID scheme, as the Government department failed to obtain the consent of those enrolled,” the group said.
“We sent HMRC a Freedom of Information (FOI-PDF) request, asking how an individual could securely delete their voice ID and use the usual method to access the helpline. Disturbingly, HMRC refused (PDF) to answer our question under FOIA Exemption s31 (1) (a) — prejudice to the prevention or detection of crime.”
Publisher