The voices are thought to have been collected via the HMRC’s voice recognition-based security feature, the operation of which requires callers to repeat the phrase “My voice is my password”.
This feature was first tried out by the UK tax collection agency in January 2017.
Director of Big Brother Watch Silkie Carlo expressed concerns that the feature “could allow ordinary citizens to be identified by government agencies across other areas of their private lives.”
The collection of biometric information without consent breaches the EU General Data Protection Regulation (GDPR), which started being regulated back in May this year unless it is in the public interest or it is provided under legal obligation.
But despite being accused of collecting “biometric ID cards by the back door”, the HMRC denies any wrongdoing, stating that usage of the voice ID feature was not compulsory, and that the feature is “very popular with customers”.
>See also: Biometric technologies and their security
The agency also insists that the voices are securely contained away from taxpayers’ personal details, but are yet to explain how they are stored.
CPO and co-founder of PCI solution provider Aeriandi Tom Harwood said that while there is evidence to show a decrease in fraud when biometrics are involved, “it’s not the whole solution”.
“Last year, two twins demonstrated how easy it is to trick these systems after they gained access to HSBC’s voice biometrics security platform.”
This referred to the case of the twin brother of BBC Click reporter Dan Simmons, who managed to mimic Dan’s voice in order to hack into his HSBC account last year, as part of an investigation by the BBC.
“No security technology is 100% fool-proof, and it is now possible to cheat voice recognition systems.” Aeriandi CPO Harwood added.
“Voice synthesiser technology is a great example. It makes it possible to take an audio recording and alter it to include words and phrases the original speaker never spoke, thus making voice biometric authentication insecure.”
Harwood suggested that fraud detection technology that analyses not only users’ voices, but “hundreds of other parameters to ensure the caller and the call is legitimate – everything from their location to the acoustic dimensions of the room they’re making the call from” could be a better solution for combating fraud over the phone.
The Information Commissioner’s Office has launched an investigation following Big Brother Watch’s claims, and if this investigation proves the claims correct, this could leave the government’s recently introduced National Cyber Security Centre, which was introduced in November 2016 to primarily combat cyber fraud, open to intense criticism and a consensus-fuelled idea that its operations need to go beyond the SMS and email scams that HMRC’s head of operational and cyber security Mike Fell references.