Security

UK taxman has amassed voice profiles of 5.1 million taxpayers

Big Brother Watch questions legal basis for data retention

By Rebecca Hill

60 SHARE

Campaign group Big Brother Watch has accused HMRC of creating ID cards by stealth after it was revealed the UK taxman has amassed a database of 5.1 million people's voiceprints.

The department introduced its Voice ID system in January 2017. This requires taxpayers calling HMRC to record a key phrase, which is used to create a digital signature that the system uses to unlock the right account when they phone back.

According to a Freedom of Information request, submitted by Big Brother Watch and published today, the department now has more than 5.1 million people's voiceprints on record.

However, the group argued that users haven't been given enough information on the scheme, how to opt in or out, or details on how their data would be deleted. The FoI revealed that no customers have opted out in the 30 days to 13 March, but the department refused to respond to set out exactly how the erasure process would work.

Director Silkie Carlo said that taxpayers have been "railroaded into a mass ID scheme" and that the government was "imposing biometric ID cards on the public by the back door".

The FoI response also raises questions about the lawfulness of the collection and storage of the data, and whether it is in line with the General Data Protection Regulation that came into force on 25 May.

Under the GDPR, a system that allows people to be identified by their voice would likely meet the definition of processing of biometric data. This places certain demands on the organisation beyond those made for other forms of personal data.

"Where [biometric processing] takes place on the basis of a person's consent, GDPR says that the person must give 'explicit consent'. 'Consent' also means a 'freely given, specific, informed and unambiguous' indication of the person's wishes, and it must be a 'clear, affirmative action'," said Jon Baines, a data protection advisor at law firm Mischon de Reya.

"It is difficult to square these requirements with what seems to have taken place here: callers were apparently given no option to opt out, let alone opt in."

He added that HMRC's FOI response "appears to concede this point", as it reads:

HMRC currently operates VoiceID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.

Baines added that it would be "difficult to see any other basis, other than explicit consent, which would allow HMRC to do this".

GDPR does allow individual member states to introduce their own laws to justify processing of biometric data without consent, he said, but "for this to happen there would rightly need to be the opportunity for parliamentary debate on the subject".

The Information Commissioner's Office confirmed to The Register that it had received a complaint about the Voice ID scheme and was making inquiries. If it finds there has been an infringement, Baines pointed out it can do more than just issue financial penalties; it can also require an organisation to take action.

"In this instance, it does appear that she [ICO commish Elizabeth Denham] could require HMRC to delete all 5.1 million profiles," he said.

HMRC said in a statement that all its customers' data, "including for VoiceID, is stored securely", but the department refused to answer an FoI request asking for further details on storage, or what legal territory it was stored in.

The department's canned statement added that the Voice ID system was "very popular with customers as it gives a quick and secure route into our systems".

'Expansion of the database state'

In addition to criticisms of the database itself, Big Brother Watch raised concerns about whether HMRC shares the voiceprints with other departments or public authorities.

There are multiple examples of different bodies handing over information that the public might not expect them to. The Home Office and NHS Digital were recently forced to stop sharing patient data for immigration enforcement, while the Department for Education was slammed for a similar scheme in 2016.

"These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives," said Carlo.

But HMRC also refused to divulge information on who else has access to Voice ID in its FoI response (PDF), saying it risked prejudicing the prevention or detection of crime.

Big Brother Watch also slammed Whitehall's decision to create another database of sensitive biometric material, describing it as another step towards the "database state". The FoI response from HMRC also shows that the department did not consult the biometrics commissioner on its Voice ID plans.

The government is already under pressure over its custody image database – which contains around 21 million shots of faces and identifying features – because the pictures are stored even if the subject is not charged.

This is despite a 2012 High Court judgment that said keeping images of presumed innocent people on file was unlawful. The Home Office has blamed outdated and clunky IT systems for the prolonged retention but hasn't committed to specifically address this issue.

The Home Office had promised that its much-delayed biometrics strategy – expected to address MPs and campaigners' concerns – would be published in June.

Although the department has repeatedly insisted to El Reg that this is still the plan, it gives it only until Friday to pull the proverbial rabbit out of the hat. ®

Sign up to our NewsletterGet IT in your inbox daily

60 Comments

More from The Register

HMRC 'disciplined' almost 100 employees for computer misuse over 24 months

Updated Email, social media and telecomms kit abused at the tax collector

HMRC chief digital wonk Jacky Wright takes flight back to Microsoft's light

'I am so proud of all that we have achieved in my two years'

HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours

Updated Gov.uk portal finally lurched back to life after lunch

HMRC slaps Getronics with winding-up petition: It'll be sorted out today, blurts tech services firm

Hurry up – nearly beer o' clock

Who says HMRC hasn't got a sense of humour? Er, 65 million Brits

I missed my Self Assessment filing deadline because.... a rundown of the worst excuses

UK tax collectors warn contractors about being ripped-off – and not by HMRC for a change

Self-assessment phishing and phone scam alert raised

Scariest thing about Halloween? HMRC and Defra systems still a risk to post-Brexit borders

Breeding ground for fraud, smuggling and other criminal activity, say auditors

As HMRC's quarterly deadline for online VAT filing looms, biz dogged by 'technical difficulties'

Has tax been made digital yet? Not quite, it would appear

Getronics confirms – finally – that CEO has quit following HMRC VAT payment debacle

Ailing services integrator pulls in more cash from backers to pay off debts, rebrands US MSP arm

Just keep slurping: HMRC adds two million taxpayers' voices to biometric database

But thousands opting out in 'backlash', says privacy group

Whitepapers

Reduce Redis Enterprise Deployment Cost, Complexity with Intel Optane DC Persistent Memory

Intel has prepared this Optane DC persistent memory kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd generation Intel Xeon scalable processors and Intel Optane DC persistent memory.

Endpoint Detection and Response

EDR solutions come in a variety of implementations and can vary significantly in scope and efficacy. Choosing the best solution can be challenging.

Security Advisory: Is Your Enterprise Data Being "Phoned Home"?

This report provides four real-world examples of vendors “phoning home” data in an unauthorized manner, observed by ExtraHop customers in 2018 and the first weeks of 2019.

Enable Local Internet Breakouts with Cloud-delivered security

Cloud transformation requires new ways of thinking.