Voices of Millions of UK Taxpayers Stored By HMRC

AmiMoJo shares a report from BBC: The voices of millions of taxpayers have been analyzed and stored by HM Revenue and Customs (HMRC) without consent, privacy campaigners say. Big Brother Watch says HMRC's Voice ID system has collected 5.1 million audio signatures and accuses the department of creating "biometric ID cards by the back door." The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register. Once this task is complete, they can use the phrase to confirm their identity when managing their taxes.

Without consent?

I don't love the idea of companies collecting biometrics, but what did people think was going on when they repeated the phrase in order to register? Did they think a person was on the other end that was going to remember their voice?

Re:Without consent?

[AmiMoJo]

Under EU derived UK law HMRC is required to completely inform the user of what data is stored and how it will be used, including if it will be shared with any other organization. Not only did they fail to do so, but have admitted storing the actual recordings rather than just the metadata which strongly suggests that their system is badly designed and insecure.

The recordings represent a massive and unnecessary security risk, because anyone with access to them an impersonate any user of the system. Like passwords they should just store an irriversible hash of the metadata.

This kind of system is fine if it is done properly and legally, but that means fully informing the users and properly controlling the data.

Re:Without consent?

The recordings represent a massive and unnecessary security risk, because anyone with access to them an impersonate any user of the system.

You misspelled "can".

Re:Without consent?

The recordings represent a massive and unnecessary security risk, because anyone with access to them an impersonate any user of the system.
You misspelled "can".

You misspelled "will"

Re:Without consent?

...and blue passports...

Re:Without consent?

... like Croatia, which is in the EU...

Re:Without consent?

[currently_awake]

You should not use biometrics for access control. Using biometrics is like having a really long password, and writing it on your shirt. Anyone who wants to can copy your voice and gain access. And once compromised there is no way to change your password.

Re:Without consent?

[Anonymous+Brave+Guy]

The UK government has already said it intends to retain the GDPR rules after Brexit.

Re:Without consent?

[Anonymous+Brave+Guy]

It's often said that biometrics are user IDs, not passwords. Perhaps that's a little simplistic, but for practical purposes it's probably a better analogy.

Re:Without consent?

HAHAHAHAHAHAHAHAHAHAHAHAHAH....
Typical slave. Like the GDPR is for your benefit...LOL

Re:Without consent?

If they were here in NY it would be an intereseting international situation. New York has a law regarding 1-party consent for recording phone calls.

Re:Without consent?

A hash of the metadata (if by this you mean the output of the voice print, as "Mrs Miggins, The Pie Shop, The High Street, East Cheam, is also metadata) might not allow the matching to work, depending on how it has been implemented.

Ding Ding Ding! Unless someone can replicate a sound exactly, comparing a new hash to a recorded hash will fail.

Re:Without consent?

[TechyImmigrant]

A hash of the metadata (if by this you mean the output of the voice print, as "Mrs Miggins, The Pie Shop, The High Street, East Cheam, is also metadata) might not allow the matching to work, depending on how it has been implemented.

Ding Ding Ding! Unless someone can replicate a sound exactly, comparing a new hash to a recorded hash will fail.

So I take it the Slashdot community hasn't spent their time studying the theory of fuzzy hashing and secure sketches.
http://web.cs.ucla.edu/~rafail...

Re:Without consent?

Worked as a contractor for them for 3 years. I barely trust them to store their own toilet paper.

Re:Without consent?

[Archfeld]

BINGO !!! Biometric measurement + a userid make a great start, then a user derived password.

Re:Without consent?

[recrudescence]

It's been a while since I've experienced this myself so I don't remember how that exact session went, but from what I remember it was either very difficult or effectively impossible to decline this, and at most you could postpone to a later point in time where the implication was that there will come a time when this system will be in full force and the only way of signing in, making it impossible to decline. Therefore users aren't given the "option" to register by voice for convenience, the HMRC is effectively coercing the users to provide this biometric information, since the alternative is to refuse and be prosecuted for not submitting tax forms.

Re:Without consent?

[GNious]

Just never utter the word "Passport", no matter what Mary McDonnell tell you.

Re:Without consent?

[sjames]

Clearly they should have taken their business to some other country's tax administration or just done without taxes. What could go wrong?

Re:Without consent?

[sjames]

which is entirely optional.

Unless you are legally required to pay your taxes.

Re:Without consent?

which is entirely optional.

Unless you are legally required to pay your taxes.

Unless you are required to (IN ORDER TO) pay your taxes.
And no, you aren't.

Re:Without consent?

[cas2000]

Unless someone can replicate a sound exactly, comparing a new hash to a recorded hash will fail.

You're right. that would take some super advanced technology. I read about something like that in a really far-fetched futuristic science fiction novel once - I think they called it a "tape recorder" or something like that. The sequel had some nonsensical-sounding "mp3 recorder". Fucking ridiculous, right? The space-detective in it even magically figured out that the bad guys had spliced together words and even phonemes from lots of different recordings to create the phrase "my voice is my password". who could believe absurd shit like that?

Re:Without consent?

[dcw3]

which is entirely optional.

Unless you are legally required to pay your taxes.

Was it a legal requirement to pay using your voice?

Re:Without consent?

Anyone who wants to can copy your voice and gain access.

What?!!! My name is Werner Brandes! My voice is my passport!

Re:Without consent?

[sjames]

According to some here, no but they do all they can to convince you otherwise.

Sounds Foolproof

[mentil]

The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register.

I'd really like you to say 'password'.

Re:Sounds Foolproof

I've always loved the sound of that word.

Re:Sounds Foolproof

Okay.... Second best movie of all time... Second only to "Die Hard"

https://www.youtube.com/watch?v=7ucflHg8738

Are we getting old or something?

Re:Sounds Foolproof

if ever there were a need to show this as life imitating art in the form of Sneakers 1992 rather than 1984

https://www.youtube.com/watch?v=n5GzlOpf3KA

Re:Sounds Foolproof

[skovnymfe]

CYRIL... FIGGIS...

Re:Sounds Foolproof

[bill.pev]

I wonder why they left off "identify me" ??

Re:Sounds Foolproof

wasnt' it "verify me"

Re:Sounds Foolproof

It was "my voice is my passport, verify me."

Sneaky

"My voice is my passport", surely?

Re:Sneaky

Verify me.

Re:Sneaky

[The-Ixian]

Now they will ask you to put a recording device in your trunk in order to determine where you live!

Re:Sneaky

[antdude]

http://www.youtube.com/watch?v... :P

Without consent?

"Without consent" as in they tell you exactly what they're doing and ask you to say a specific phrase three times, the whole of which is entirely optional.

Accuracy

I suggest doing a smeagle impression. Anyway, is voice biometrics even that good at this point? A lot of people sound like a lot of other people. Would a good impressionist fool it?

Re:Accuracy

How well would it work with a cell phone in a poor reception area?

Let's accuse China of being a surveilance state

instead of complaining enough about this. That's what we're good at. Pointing fingers at China and Russia, hoping that the sheep will stop complaining on their own government.

Re:Let's accuse China of being a surveilance state

"Yeah, see, everyone's doing it, so let's just ignore the issue"

HMRC

The tax bods have a history of leaving data insecure, like burning data to CD and leaving it lying around. Not to be trusted and I bet if someone scams you by using a recording of you it will be pretty hard to defend yourself

Can we sue

[Idimmu+Xul]

and put HMRC out of business? Is this the way to end taxes once and for all?!

Re:Can we sue

Brexit already did that. Remember? Its all plain sailing from here on out. lol

Re:Can we sue

[EvilSS]

and put HMRC out of business? Is this the way to end taxes once and for all?!

Not exactly. You sue HMRC, then they have to pay, and as a result the government has to raise tax rates to compensate for the payout. The more people who sue, the higher the taxes go. Eventually they recoup all the money they paid out and celebrate the windfall of new tax income they have! WIN-WIN!

Re:Can we sue

[OneHundredAndTen]

Brexit already did that. Remember? Its all plain sailing from here on out. lol

Does it not make one feel warm and fuzzy knowing that the Brits these days are not far behind the Americans when it comes to inveterate stupidity?

Re:Can we sue

[dcw3]

Having been in the UK a couple times in the last year, I'm not so sure that "behind" is the correct choice of words.

Because the GSM codecs really make this work!!!

Sarcasm implied. This can't be secure. There POTS and GSM systems are far too low bandwidth for voice for this to work so I'm guessing that it's really insecure. Challenge accepted?

I haven't a clue what bellend thought such a system was a good idea, or would work.

I do a good Hugh Grant impression

Time to have a root around his tax affairs....

Borders

I know this article is about voice prints and HMRC, so I run the risk of being off topic.

But I have long suspected that the automated border gates are collecting data in exactly the same way.

The Australian ones, have in small letters underneath the passport scanner: "by supplying your passport you consent to our data storage policy". I've asked to see the policy, but the border staff laughed at me.

We're basically fucked, and no one seems to care...

My voice is my password?

Someone's been watching too much of the movie "Sneakers".

Oh come on now, that's just dumb.

[sabbede]

The phrase itself lets people know exactly what's going on. In no way is it a "backdoor biometric ID card". That's just so mind-bogglingly stupid I don't know what to do with it.

It's a convenience for taxpayers and probably a lot easier to use than having to remember a PIN that gets used once a year (listen up IRS).

Re:Oh come on now, that's just dumb.

[coofercat]

HMRC have some particularly complex requirements for logging on to any of their services. You need a magic number and a password. The magic number bears no resemblance to anything you might know, or ever learn. The password has to be so complex that it too is something you'll never know. I forget exactly how these things are supplied to you, but I seem to remember one half is sent via snail mail and the other half is SMS messaged.

In the days before password managers, there was literally no way any human on earth could have remembered those details that they only use once per year. Of course we all wrote them down, and of course that was horribly insecure and yes, I suspect a few of them got stolen along the way. Even with a password manager, you can't log on in an automated fashion because their website somehow stops that from working, but at least you could just write yourself a 'secure note' with the details you need to remember in it.

Then along came biometrics (from the Home Office, who had their strings pulled by MI5, who in turn had theirs pulled by the NSA). They've tried time and time again to get the British Public to sign up to some biometric-based system for tracking the population. It's never really stuck though, so I suspect HMRC got hold of some 'Home Office Surplus' to do their biometric password stuff.

Being the government though, no matter what they implement it'll feel like it'd be easier to break into the Bank of England than to use it, but if you look closely enough you'll see the whole thing is made of cardboard and sticky tape. It seems they didn't disappoint here, by keeping the recordings instead of the fingerprints of them. It's only lucky that they didn't copy them all to a USB stick and lose it on a train or in the back of a cab, I suppose.

Re:Oh come on now, that's just dumb.

[raburton]

Problem is, or at least was, that it was not optional (not when I last called them and was "invited" to enroll anyway). Well, technically it might have been because I simply refused to speak when I was told to and after several prompts it gave up, but there was no indication that you could opt-out and so most people probably did as they were told by the recorded instructions. Consent isn't valid if it's only given under coercion, if people only do it because they have to (or think they have to) then they haven't consented.

Re:Oh come on now, that's just dumb.

[mjwx]

HMRC have some particularly complex requirements for logging on to any of their services. You need a magic number and a password. The magic number bears no resemblance to anything you might know, or ever learn. The password has to be so complex that it too is something you'll never know. I forget exactly how these things are supplied to you, but I seem to remember one half is sent via snail mail and the other half is SMS messaged.

For the uninitiated, the HRMC (Her Majesty's Revenue and Customs) is the tax department of the UK, like it's contemporaries the IRS (US) and ATO (AU) they operate in such a fashion that no interaction with them can be completed without extensive pain and suffering. Put simply, with the HRMC, Nothing. Is. Fucking. Easy.

Re:Oh come on now, that's just dumb.

yet... they didn't lose it on a train or in the back of a cab yet.

Re:Oh come on now, that's just dumb.

[houghi]

Consent isn't valid if it's only given under coercion

I should tell that to my HR department who gave everybody a letter where they told that they could take pictures of me, use them as they please and also for my badge and something else.
I agree on the badge, but not on the rest of sharing my data.

They gave everybody a letter where the options where just one and that was all of the possible ways.
They even told us that we had to sign, even if we did not agree with it. And it said something along the lines of "I sign this out of my own free will". Well, if you say that I MUST sign, even if I do not agree with it, then it is not really free will, is it.

I am still waiting for the HR department as I (and some of my cow orkers) have not signed anything and some have signed, but changed what it said.

Re:Oh come on now, that's just dumb.

[Jerry+Atrick]

Requirements so complex their IT folk never got it to work in the 3 years I tried creating my account, before retiring. Closest was the sign up page sending me to the self-employment 1st time registration page, none of them could tell me if that would recognise my existing (off line) account (assuming I magically remembered business details from 35 years ago) or create chaos. It's the last resort for incompetent IT workers.

Re:Oh come on now, that's just dumb.

[Anonymous+Brave+Guy]

Well, HMRC is in an impossible position. The tax rules it is required to use are so complicated that I doubt anyone understands them completely, and it it has far too few resources to do its job properly, and the people it does have are often not well trained. (These three factors may be related...)

Given those constraints, I think a lot of the automated systems for filing the main types of return electronically are fairly usable these days. If you do get to speak to a real person from HMRC, in my experience they are usually reasonable and try to do the right thing as well.

However, even if everyone has the best of intentions, the problems lead to HMRC's people making mistakes and giving bad advice and sometimes focussing on the easy things instead of the right things. When you're in a position to seriously affect other people's lives, even if those other people have done nothing wrong or have made an honest mistake while trying to deal with a system too complicated to understand, obviously that's still not good enough.

Re:Oh come on now, that's just dumb.

->Put simply, with the HRMC, Nothing. Is. Fucking. Easy.

Hand out your name and national insurance number (not address) to a load of illegal immigrants, and then just ignore HMRC completely.

Simples.

Re: Oh come on now, that's just dumb.

Sounds like you need to acquaint yourself with the office philosophies of a one David Thorne...

Re:Oh come on now, that's just dumb.

[shufflingb]

Minor quibble, keeping the original recordings is actually reasonable foresight, as it it allows subsequent re-coding of the "fingerprints" when technology improves. Other than that an excellent appraisal of the situation; I'm suspecting inside information ;-)

Re:Oh come on now, that's just dumb.

[coofercat]

Maybe... but that approach leads to "keep everything, just in case we need it" - which of course GDPR really doesn't like (even the old school Data Protection Act didn't like it either, for that matter).

As things stand, you could probably make some reasonable guesses about what technology might look like in the future. I don't really know much about audio fingerprinting, but lets say you take 20 samples and do some maths on them to end up with the fingerprints. It's not too hard to do that 100 times instead, but only use 20 of them during verification. That gives you some headroom if you need to tighten up later.

Particularly with voice though, if they really did need to throw out their whole system and recreate, they could just wait for all the active users to phone up and authenticate - you have to give the entire audio to do so, which they could re-record and re-sample. This would have the effect of eventually deactivating all the accounts of people who don't use them - which is of course good practice. It also highlights the problem with 'my voice is my password' as a concept too, but I doubt they'd spot that flaw in such an exercise.

The over-arching problem is that governments are terrible at specifying what they want, and suppliers are terrible at saying 'no'. That means that the government ends up asking for all kinds of things that are unnecessary (in the 'big picture'), and confine the solution into places that it shouldn't ever have got into. No supplier can realistically architect their way out of those problems, and can't tell the government to do a better job of it either - thus we end up with utter shit for government IT. In this case, there was (probably) a specification to keep the original audio forever and a day, and so now the system can't operate without it.

Re:Oh come on now, that's just dumb.

[philml]

I'm going to disagree—I'm really impressed with HMRC's technology. Their website is extremely well laid out and as well explained as any complex system can be. Their login system is 2FA with SMS messages (not perfect, but it's better than most things and it works). Every interaction I've ever needed has been possible online. It all works pretty well online (and that's rapidly becoming the case for the UK government as a whole).

HMRC's website is better than the website for my mobile phone and utility companies, that's certain. This latest problem is indeed a problem, but they're generally good with technology.

Re: Oh come on now, that's just dumb.

[sabbede]

That's true for everyone. Mr. Thorne is a shining light of proper office etiquette and camaraderie. Just look at all the work he went through to help a secretary find her lost cat!

Re:Oh come on now, that's just dumb.

[dcw3]

Then along came biometrics (from the Home Office, who had their strings pulled by MI5, who in turn had theirs pulled by the NSA).

Um, so you're going to blame this on NSA, and why isn't this also required in the US then?

Re:Oh come on now, that's just dumb.

[sabbede]

Did you have to call? I don't know how the HMRC does things, but in the US you usually only call the IRS if you have questions about your return (whether you get the right answer is hit and miss though).

But insofar as opt-in/opt-outs and the GDPR are concerned, the tax collectors all ready have your personal information and they aren't going to delete it no matter what you want. It is necessary for them to collect and retain it, so another drop in that bucket is hardly a big deal. Maybe they should have clarified in the recording that you don't need to do it, but that's a pretty minor bureaucratic cockup.

Re:Oh come on now, that's just dumb.

[raburton]

Of course I had to call them, I don't just ring the tax man for a chat. They have all the information they need for tax purposes yes, no one is suggesting/expecting that they would delete that, not sure where you got that idea. What they don't need for tax purposes is your voice print. Giving the government this is certainly extra information they didn't have before. They have created a large government-controlled biometric database, of a type never previously collected in the UK, without the informed, legitimate consent of the public and without, as far as we know, any formal consultation or approval at higher levels. As for the "minor bureaucratic cockup" as you put it, yes you could call it that, but you could equally call it a "huge legal cockup" which doesn't sound as good and certainly has more consequences.

Re:Oh come on now, that's just dumb.

[shufflingb]

What system is going to cost less and would most people prefer to use?

One where when a weakness, or a more accurate, "finger print" * technology is discovered all existing users have to access the system using the potentially comprised existing encoding technology and record new training data.

One where whilst any update processes is underway, both the old and new systems have to be operated and developed concurrently.

Or one where admins can run a script using the original voice recordings and update the "finger print" models and recognition process overnight, turn off the old and deploy the new system in the morning.

* "finger print" == speaker recognition feature

Not exactly obvious this is optional

I encountered this for the first time yesterday when having to call HMRC. I don't recall the automated message indicating that registration was optional. I simply stayed silent and mashed the 0 key on my telephone. The system did attempt to get me to say the phrase multiple times, but eventually gave up and put me through to a human with registering. However, I suspect that the average user will realise that they can stay quiet to sidestep the registration.

Unique voice signature

Sounds like a good database to have to make the idea of burner phones irrelevant.

"My voice is my username" would be better

One still needs a password, which should be secret, not public.

Because as we all know

Voice signatures can't be forged.

Just wondering

[mrbester]

Is there IVR as well to confirm you are actually saying the phrase as well as the repetition to confirm it is the same person saying it?

What if you said (in response to "please repeat the phrase" prompt) "Go fuck yourself" each time? Would that become the passphrase?

Obligatory reference

In the words of Cardinal Borusa... "There's nothing more useless than a lock with a voiceprint!".

Voice change?

[jago25_98]

Great...
until your voice changes.

Missing something

[kenh]

The voices of millions of taxpayers have been analyzed and stored by HM Revenue and Customs (HMRC) without consent, privacy campaigners say.

and

The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register.

Once this task is complete, they can use the phrase to confirm their identity when managing their taxes.

Responding to the request "repeat the phrase 'my voice is my password' the register" is giving consent - that the government agency might misuse the data is not the same as the government agency is misusing the data. This appears to be a case of "might" not "is".

Can you ...

[PPH]

... use your own phrase?

Re:Can you ...

[The-Ixian]

I want to use the phrase that pays....

They should have listened to the BBC

There's nothing more useless than a lock with a voice print.

Anyone remember Sneakers?

For the record : https://www.youtube.com/watch?v=-zVgWpVXb64

tl;DR - "My voice is my passport" was used as entry.

I swear we're either getting dumber by the day or there is an awfull lot of people severely in over their head for even thinking this crap up.

Re:Anyone remember Sneakers?

[cheesybagel]

In the British computer game "Uplink" by Introversion one of the biometric locks you need to bypass actually uses the exact same sentence "My Voice is My Password. Verify me."

Australian tax office....

The ATO has been using this for years.

"In Australia, my voice identifies me." is the phrase I use.

Australia uses the same phrase

ATO, the tax office, uses the same lock on phrase, in Australia.

I understand some biometrics are available for sale from a certain, international credit rating agency. I understand the government makes this available for sale.

Thank you Google!

Add to this the excellent new google tool that realistically impersonates a voice and I'm sure someone clever out there will have it spitting out "My voice is my password" after a few short, non-related samples in no time.

Excuse me Nero... are you done with that violin? I'd like to give it a whirl.