HMRC used ‘implied consent’ to collect voiceprints of five million citizens
ICO investigating tax agency after investigation by advocacy group Big Brother Watch
The Information Commissioner’s Office is investigating a complaint made against HM Revenue and Customs, after the department used an “implied consent” model to collect voice identification information on more than five million citizens.
Responding to a Freedom of Information request from the privacy advocacy group Big Brother Watch, HMRC said that, as of 13 March 2018, 5.1 million citizens were enrolled on its voice ID scheme. The department also said that these identifications had been collected “on the basis of the implied consent of the customer” – although a process of explicit consent is being developed, it added.
A call transcript provided by Big Brother Watch indicates that callers to HMRC’s self-assessment helpline are automatically prompted to say the phrase “my voice is my password”, with no option given to decline to provide a voice ID. The only way to avoid doing so, according to Big Brother Watch, is to refuse to say the phrase or say ‘no’ instead three times in a row. At which point the automated system tells callers they can “try again” to create a voice ID next time they call.
When asked under FOI about the process by which citizens can opt out of the voice ID programme, HMRC said that “if a customer wishes to opt out of VoiceID, they tell an advisor that they wish to opt out, and whether they would like their voiceprint to be deleted”.
- HMRC trials voice ID
- We all have something to hide – and the government must let us
- Report claims facial recognition is 95% inaccurate
A further call transcript provided by Big Brother Watch also shows that, after waiting 15 minutes to be connected to an advisor, a caller to HMRC was put on hold for a further 10 minutes while the adviser looked into their request to have their voice ID removed from the department’s systems. The adviser was then able, on the caller’s behalf, to opt out of using voice ID for all applicable HMRC services.
But the adviser claimed that deleting the caller’s voice data entirely is “not something that I would be able to do” over the phone, according to Big Brother Watch. After another lengthy period on hold, the caller is advised that, if they wish to completely delete their voice ID, they must go online and fill out an HMRC Subject Access Request form.
Big Brother Watch also used FOI requests to ask HMRC to provide info on where and by whom the voice ID data is stored, what agencies have access to it, what “procedural guidelines” govern the storage, access, and use of the data, and how much has been spent on installing and maintaining the necessary technology. The department was also asked by the activist group to provide details of the privacy impact assessment undertaken in advance of implementing the voice ID scheme.
HMRC declined to provide responses to any of these questions, citing FOI Act exemptions under the possibility of prejudice to the prevention or detection of crime and, in the case of enquiry regarding spending, commercial interest exemptions.
The department did, however, respond to confirm that it has not yet consulted the Biometrics Commissioner about the voice ID programme.
Big Brother Watch has filed a complaint against HMRC with the ICO – the UK’s data-protection watchdog.
An ICO spokesperson said: “We have received a complaint about HMRC’s voice ID scheme and will be making enquiries.”
Silkie Carlo, director of Big Brother Watch, said that “HMRC should delete the five million voiceprints they’ve taken in this shady scheme, observe the law, and show greater respect to the public”.
“Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing. The tax man is building big brother Britain by imposing biometric ID cards on the public by the back door,” she added. “The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives.”
An HMRC spokesperson said: “Our voice ID system is very popular with customers, as it gives a quick and secure route into our systems. The voice ID data storage meets the highest government and industry standards for security.”
Party alleges that Joan Ryan's actions breached GDPR and the Data Protection Act
Chinese networking titan claims that it would ‘categorically refuse’ any requests to assist in intelligence-gathering
Minister reveals that 362 HMCTS sites were ‘intermittently’ impacted by loss of network access
Organisation indicates that faults were quickly detected and ‘there is no evidence of any security compromise'