ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Tax: Is your voice your password?

  • LinkedIn (opens new window)
  • Twitter (opens new window)
Donald-Drysdale By Donald Drysdale for ICAS

20 February 2019

Main Points:

  • Voice ID, a new technology which HMRC introduced from January 2017 onwards, records biometric voiceprints of telephone callers.

  • HMRC confirmed last July that there is no delete function and that KCOM, an HMRC contractor, will hold the data for a number of years.

  • Have HMRC gone too far in holding biometric data in apparent contravention of the GDPR?

Most practitioners welcome innovative uses of technology but Donald Drysdale, a chartered IT practitioner, wonders whether HMRC have been too hasty in their adoption of voice biometrics. The views expressed are his own and not necessarily those of ICAS.

Protecting data

Once upon a time, before phishing became rife, we used to protect sensitive personal data with simple passwords. Then data breaches became commonplace, and protection methods more sophisticated.

Typically, organisations began to insist on periodic password changes. Then additional forms of access control were introduced. Two-factor identification is now widely used in situations where privacy really matters – for example, to preserve the security of online banking and, of course, our tax records at HMRC.

Voice ID

In case you haven’t come across it yet, Voice ID is a new technology which HMRC introduced from January 2017 onwards. An automated facility, it invites those phoning certain HMRC helplines to make a voice recording which is then used to confirm their identity on future calls.

The first time they call, a user is asked to repeat the standard passphrase “My voice is my password” up to five times. Then they are transferred to an adviser to complete their call. The recorded passphrase is stored, and is available for matching when the customer repeats the passphrase for identification on subsequent calls.

Apparently each voiceprint has around 100 recognisable characteristics – some physical and some behavioural – which can’t readily be mimicked. According to Nuance, the company marketing the software, a user’s voice is as unique as their fingerprint so it can never be hacked or stolen.

By mid-2015 HMRC had announced that KCOM, then an SME, was in the middle of rolling out a completely-virtual call centre solution across the whole of the tax authority.

On introducing Voice ID, HMRC described it as “well-proven” technology and one of the most secure systems. Reportedly, they also described it as “the latest example of the cutting-edge technology” to make it easier for people to manage their tax and tax credits. In my dictionary, “cutting-edge” and “well-proven” are not necessarily synonymous.

The idea was that callers registered for Voice ID would save time when going through HMRC’s interactive voice response (IVR) system. HMRC estimate the time saving at 25 seconds, while KCOM puts it at around a minute.

Unless calling HMRC frequently, I suspect that security-conscious taxpayers might happily lose those seconds rather than have their voiceprint recorded and stored by a third party – especially had they been aware that they could opt out.

Privacy concerns

In June 2018 civil liberties campaign group Big Brother Watch published an article expressing concerns that HMRC were then holding 5 million voiceprints illegally in contravention of the General Data Protection Regulation (GDPR). Complaints were made to the Information Commissioner’s Office (ICO).

The GDPR imposes strict rules on processing biometric data. The data subject must give their clear, explicit, affirmative consent. But when HMRC had introduced Voice ID, callers were given no option to opt out, let alone opt in, and were not told how they could get their biometric data deleted.

In April 2018 HMRC revealed that a caller could opt out, in effect, by recording the passphrase as requested and then asking for their voiceprint to be deleted. This was hardly an approach to inspire confidence amongst taxpayers.

In practice an opt-out was available to enlightened callers by remaining silent, or saying something contrary such as “No” three times, when invited to record the standard passphrase. But it seems likely that many will have registered for Voice ID out of sheer frustration, thinking it the only way to complete the call they were then trying to make.

In July 2018 HMRC published a ‘privacy impact assessment’ containing many indecipherable acronyms and much gobbledygook. This states categorically: “Customers will (sic) also have the ability to opt-out, should they choose to.”

The document reveals: “Voiceprints are encrypted and stored in a secure database behind the firewall, just like any other sensitive customer data. The data stored, meets security standards.” It goes on to say: “There is no delete function and KCOM (sic) will hold the data for a number of years.”

HMRC had previously refused to disclose in which territory and by whom the voiceprint data is stored. Perhaps their reticence is explained by the above admission that the data is not even held by them. They also declined to provide a list of public authorities and other persons, including the software provider, who have access to the stored voiceprint data.

HMRC’s project is massive. By the time 3 million users had registered, KCOM’s website was saying that the implementation was already believed to be the largest public-facing public sector voice biometric service in the world.

In September 2018 at the House of Commons Public Accounts Committee, Jon Thompson of HMRC was grilled by committee member Lee Rowley about Voice ID. The session makes interesting reading here, starting at question 66. This demonstrates how HMRC had modified their approach following complaints to the ICO.

Last month Big Brother Watch issued a press release supported by a Freedom of Information response from HMRC.  Some 7 million taxpayers have now registered for Voice ID, while 162,000 have asked for their voiceprint to be deleted. It is not disclosed how many have positively opted out by not registering in the first place.

How secure is ‘secure’?

A growing number of organisations are expected to adopt Voice ID. Many banks are experimenting with it. HSBC has been using it since 2016, and Barclays followed suit soon afterwards.  A press report in 2017 told how a BBC reporter and his non-identical twin brother foiled HSBC’s ‘secure’ system, with one brother gaining access to the other’s bank accounts.

Reportedly the caller in that case was allowed eight attempts to get the passphrase right, and HSBC subsequently tightened its system. There have been suggestions that other Voice ID systems don’t necessarily place a tight enough restriction on the number of unsuccessful attempts permitted.

As more organisations embrace Voice ID, the quantity of stored voiceprint data will expand. As we have seen with non-biometric data, we can reasonably expect to see vast breaches of biometric data and huge investment by criminals in developing innovative ways to misuse that data.

Many organisations, including HMRC, record all phone conversations, and this is regarded as acceptable. But somehow, maintaining a voiceprint which is then used to allow access to confidential data – whether it be bank accounts or tax details – seems much more intrusive.

Should we support HMRC’s action in holding biometric data, particularly in apparent contravention of the GDPR? Or have they gone too far?

Article supplied by Taxing Words Ltd

Act by 5 April to save tax: Part 1

By Donald Drysdale for ICAS

5 February 2019

Act by 5 April to save tax: Part 2

By Donald Drysdale for ICAS

7 February 2019

2022-11-mitigo 2022-11-mitigo
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: