Back in June 2018 it was revealed that the UK’s tax authority, HMRC, had collected the voiceprints of 5.1 million taxpayers into a gigantic database.
The biometric voice data had been collected without explicit consent from people calling the HMRC’s telephone hotline for advice.
That breach of privacy rules means that HMRC has now been ordered to delete the data it collected, within the next five weeks.
As we discussed at the time on the “Smashing Security” podcast, callers were asked to repeat the phrase “My voice is my password” before being able to access HMRC services.
Smashing Security #084: 'No! My voice is not my password'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
If it hadn’t been for privacy campaigners at Big Brother Watch making a stink about HMRC’s breach of privacy rules and complaining to the Information Commissioner’s Office (ICO), it’s unlikely the data would ever have been erased – giving the British government “one of the largest known state-held voice databases in the world.”
In October 2018, HMRC changed the way it sought permission to collect voice IDs. And if you have called the tax hotline since then any voiceprint collected will not be included amongst those now being deleted before the ICO’s deadline of 5 June.
In short, HMRC will now continue to collect biometric data of people calling it on the telephone – but only if callers choose to opt-in to the scheme.
As BBC News reports, Big Brother Watch views the outcome as a big success:
“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.