Slashdot Mirror

← Back to Stories (view on slashdot.org)

Voices of Millions of UK Taxpayers Stored By HMRC (bbc.co.uk)

Posted by BeauHD on from the can-you-hear-me-now dept.

AmiMoJo shares a report from BBC: The voices of millions of taxpayers have been analyzed and stored by HM Revenue and Customs (HMRC) without consent, privacy campaigners say. Big Brother Watch says HMRC's Voice ID system has collected 5.1 million audio signatures and accuses the department of creating "biometric ID cards by the back door." The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register. Once this task is complete, they can use the phrase to confirm their identity when managing their taxes.

15 of 90 comments (clear)

  1. Without consent? by Anonymous Coward · · Score: 5, Insightful

    I don't love the idea of companies collecting biometrics, but what did people think was going on when they repeated the phrase in order to register? Did they think a person was on the other end that was going to remember their voice?

    1. Re:Without consent? by AmiMoJo · · Score: 5, Insightful

      Under EU derived UK law HMRC is required to completely inform the user of what data is stored and how it will be used, including if it will be shared with any other organization. Not only did they fail to do so, but have admitted storing the actual recordings rather than just the metadata which strongly suggests that their system is badly designed and insecure.

      The recordings represent a massive and unnecessary security risk, because anyone with access to them an impersonate any user of the system. Like passwords they should just store an irriversible hash of the metadata.

      This kind of system is fine if it is done properly and legally, but that means fully informing the users and properly controlling the data.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Without consent? by currently_awake · · Score: 3, Informative

      You should not use biometrics for access control. Using biometrics is like having a really long password, and writing it on your shirt. Anyone who wants to can copy your voice and gain access. And once compromised there is no way to change your password.

    3. Re:Without consent? by Anonymous+Brave+Guy · · Score: 3, Funny

      The UK government has already said it intends to retain the GDPR rules after Brexit.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    4. Re:Without consent? by Anonymous+Brave+Guy · · Score: 3, Insightful

      It's often said that biometrics are user IDs, not passwords. Perhaps that's a little simplistic, but for practical purposes it's probably a better analogy.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  2. Sounds Foolproof by mentil · · Score: 4, Funny

    The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register.

    I'd really like you to say 'password'.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Sounds Foolproof by bill.pev · · Score: 2

      I wonder why they left off "identify me" ??

  3. Sneaky by Anonymous Coward · · Score: 3, Informative

    "My voice is my passport", surely?

  4. Can we sue by Idimmu+Xul · · Score: 2

    and put HMRC out of business? Is this the way to end taxes once and for all?!

    --
    The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
    1. Re:Can we sue by OneHundredAndTen · · Score: 2

      Brexit already did that. Remember? Its all plain sailing from here on out. lol

      Does it not make one feel warm and fuzzy knowing that the Brits these days are not far behind the Americans when it comes to inveterate stupidity?

  5. Oh come on now, that's just dumb. by sabbede · · Score: 2, Insightful
    The phrase itself lets people know exactly what's going on. In no way is it a "backdoor biometric ID card". That's just so mind-bogglingly stupid I don't know what to do with it.

    It's a convenience for taxpayers and probably a lot easier to use than having to remember a PIN that gets used once a year (listen up IRS).

    1. Re:Oh come on now, that's just dumb. by coofercat · · Score: 5, Interesting

      HMRC have some particularly complex requirements for logging on to any of their services. You need a magic number and a password. The magic number bears no resemblance to anything you might know, or ever learn. The password has to be so complex that it too is something you'll never know. I forget exactly how these things are supplied to you, but I seem to remember one half is sent via snail mail and the other half is SMS messaged.

      In the days before password managers, there was literally no way any human on earth could have remembered those details that they only use once per year. Of course we all wrote them down, and of course that was horribly insecure and yes, I suspect a few of them got stolen along the way. Even with a password manager, you can't log on in an automated fashion because their website somehow stops that from working, but at least you could just write yourself a 'secure note' with the details you need to remember in it.

      Then along came biometrics (from the Home Office, who had their strings pulled by MI5, who in turn had theirs pulled by the NSA). They've tried time and time again to get the British Public to sign up to some biometric-based system for tracking the population. It's never really stuck though, so I suspect HMRC got hold of some 'Home Office Surplus' to do their biometric password stuff.

      Being the government though, no matter what they implement it'll feel like it'd be easier to break into the Bank of England than to use it, but if you look closely enough you'll see the whole thing is made of cardboard and sticky tape. It seems they didn't disappoint here, by keeping the recordings instead of the fingerprints of them. It's only lucky that they didn't copy them all to a USB stick and lose it on a train or in the back of a cab, I suppose.

    2. Re:Oh come on now, that's just dumb. by raburton · · Score: 5, Informative

      Problem is, or at least was, that it was not optional (not when I last called them and was "invited" to enroll anyway). Well, technically it might have been because I simply refused to speak when I was told to and after several prompts it gave up, but there was no indication that you could opt-out and so most people probably did as they were told by the recorded instructions. Consent isn't valid if it's only given under coercion, if people only do it because they have to (or think they have to) then they haven't consented.

    3. Re:Oh come on now, that's just dumb. by shufflingb · · Score: 2

      Minor quibble, keeping the original recordings is actually reasonable foresight, as it it allows subsequent re-coding of the "fingerprints" when technology improves. Other than that an excellent appraisal of the situation; I'm suspecting inside information ;-)

  6. Missing something by kenh · · Score: 2

    The voices of millions of taxpayers have been analyzed and stored by HM Revenue and Customs (HMRC) without consent, privacy campaigners say.

    and

    The Voice ID scheme, which was launched last year, asks callers to repeat the phrase "my voice is my password" to register.

    Once this task is complete, they can use the phrase to confirm their identity when managing their taxes.

    Responding to the request "repeat the phrase 'my voice is my password' the register" is giving consent - that the government agency might misuse the data is not the same as the government agency is misusing the data. This appears to be a case of "might" not "is".

    --
    Ken