Tax: Is your voice your password?
Most practitioners welcome innovative uses of technology but Donald Drysdale, a chartered IT practitioner, wonders whether HMRC have been too hasty in their adoption of voice biometrics. The views expressed are his own and not necessarily those of ICAS.
Once upon a time, before phishing became rife, we used to protect sensitive personal data with simple passwords. Then data breaches became commonplace, and protection methods more sophisticated.
Typically, organisations began to insist on periodic password changes. Then additional forms of access control were introduced. Two-factor identification is now widely used in situations where privacy really matters – for example, to preserve the security of online banking and, of course, our tax records at HMRC.
In case you haven’t come across it yet, Voice ID is a new technology which HMRC introduced from January 2017 onwards. An automated facility, it invites those phoning certain HMRC helplines to make a voice recording which is then used to confirm their identity on future calls.
The first time they call, a user is asked to repeat the standard passphrase “My voice is my password” up to five times. Then they are transferred to an adviser to complete their call. The recorded passphrase is stored, and is available for matching when the customer repeats the passphrase for identification on subsequent calls.
Apparently each voiceprint has around 100 recognisable characteristics – some physical and some behavioural – which can’t readily be mimicked. According to Nuance, the company marketing the software, a user’s voice is as unique as their fingerprint so it can never be hacked or stolen.
By mid-2015 HMRC had announced that KCOM, then an SME, was in the middle of rolling out a completely-virtual call centre solution across the whole of the tax authority.
On introducing Voice ID, HMRC described it as “well-proven” technology and one of the most secure systems. Reportedly, they also described it as “the latest example of the cutting-edge technology” to make it easier for people to manage their tax and tax credits. In my dictionary, “cutting-edge” and “well-proven” are not necessarily synonymous.
The idea was that callers registered for Voice ID would save time when going through HMRC’s interactive voice response (IVR) system. HMRC estimate the time saving at 25 seconds, while KCOM puts it at around a minute.
Unless calling HMRC frequently, I suspect that security-conscious taxpayers might happily lose those seconds rather than have their voiceprint recorded and stored by a third party – especially had they been aware that they could opt out.
In June 2018 civil liberties campaign group Big Brother Watch published an article expressing concerns that HMRC were then holding 5 million voiceprints illegally in contravention of the General Data Protection Regulation (GDPR). Complaints were made to the Information Commissioner’s Office (ICO).
The GDPR imposes strict rules on processing biometric data. The data subject must give their clear, explicit, affirmative consent. But when HMRC had introduced Voice ID, callers were given no option to opt out, let alone opt in, and were not told how they could get their biometric data deleted.
In April 2018 HMRC revealed that a caller could opt out, in effect, by recording the passphrase as requested and then asking for their voiceprint to be deleted. This was hardly an approach to inspire confidence amongst taxpayers.
In practice an opt-out was available to enlightened callers by remaining silent, or saying something contrary such as “No” three times, when invited to record the standard passphrase. But it seems likely that many will have registered for Voice ID out of sheer frustration, thinking it the only way to complete the call they were then trying to make.
In July 2018 HMRC published a ‘privacy impact assessment’ containing many indecipherable acronyms and much gobbledygook. This states categorically: “Customers will (sic) also have the ability to opt-out, should they choose to.”
The document reveals: “Voiceprints are encrypted and stored in a secure database behind the firewall, just like any other sensitive customer data. The data stored, meets security standards.” It goes on to say: “There is no delete function and KCOM (sic) will hold the data for a number of years.”
HMRC had previously refused to disclose in which territory and by whom the voiceprint data is stored. Perhaps their reticence is explained by the above admission that the data is not even held by them. They also declined to provide a list of public authorities and other persons, including the software provider, who have access to the stored voiceprint data.
HMRC’s project is massive. By the time 3 million users had registered, KCOM’s website was saying that the implementation was already believed to be the largest public-facing public sector voice biometric service in the world.
In September 2018 at the House of Commons Public Accounts Committee, Jon Thompson of HMRC was grilled by committee member Lee Rowley about Voice ID. The session makes interesting reading here, starting at question 66. This demonstrates how HMRC had modified their approach following complaints to the ICO.
Last month Big Brother Watch issued a press release supported by a Freedom of Information response from HMRC. Some 7 million taxpayers have now registered for Voice ID, while 162,000 have asked for their voiceprint to be deleted. It is not disclosed how many have positively opted out by not registering in the first place.
How secure is ‘secure’?
A growing number of organisations are expected to adopt Voice ID. Many banks are experimenting with it. HSBC has been using it since 2016, and Barclays followed suit soon afterwards. A press report in 2017 told how a BBC reporter and his non-identical twin brother foiled HSBC’s ‘secure’ system, with one brother gaining access to the other’s bank accounts.
Reportedly the caller in that case was allowed eight attempts to get the passphrase right, and HSBC subsequently tightened its system. There have been suggestions that other Voice ID systems don’t necessarily place a tight enough restriction on the number of unsuccessful attempts permitted.
As more organisations embrace Voice ID, the quantity of stored voiceprint data will expand. As we have seen with non-biometric data, we can reasonably expect to see vast breaches of biometric data and huge investment by criminals in developing innovative ways to misuse that data.
Many organisations, including HMRC, record all phone conversations, and this is regarded as acceptable. But somehow, maintaining a voiceprint which is then used to allow access to confidential data – whether it be bank accounts or tax details – seems much more intrusive.
Should we support HMRC’s action in holding biometric data, particularly in apparent contravention of the GDPR? Or have they gone too far?
Article supplied by Taxing Words Ltd