Thousands of taxpayers tell HMRC to delete voiceprint data it stored without consent

“My voice is not my password.”

Graham Cluley
Graham Cluley
@[email protected]

Thousands of taxpayers tell HMRC to delete voiceprint data it stored without consent

In June 2018, privacy campaigners at Big Brother Watch revealed that the UK’s tax authority, HMRC, had created a giant database of the voiceprints of 5.1 million people.

The biometric data had been collected without consent when taxpayers called phone hotlines asking for advice.

As we discussed at the time on the “Smashing Security” podcast, callers were asked to repeat the phrase “My voice is my password” before being able to access HMRC services.

Sign up to our free newsletter.
Security news, advice, and tips.

Smashing Security #084: 'No! My voice is not my password'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

At the time, HMRC gave callers no easy way to opt out of what Big Brother Watch described as “one of the largest known state-held voice databases in the world.”

It seems Big Brother Watch’s revelation has done some good though.

HMRC’s automated helpline now asks callers whether they want to opt in or out of the ID scheme, and a recent Freedom of Information request has shown that although there are now some seven million users enrolled with a voice ID, since last June over 160,000 people have opted out of the scheme and had their biometric data deleted from HMRC’s systems.

But that means, of course, that there are still millions of voice IDs which were collected by the British government without permission.

That voice data should be deleted.

Fingers crossed that the Information Commissioner’s Office (ICO) which has been investigating Big Brother Watch’s complaint since mid-2018 agrees, and orders HMRC to wipe the data.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Thousands of taxpayers tell HMRC to delete voiceprint data it stored without consent”

  1. Gary

    When I first came across HMRC wanting my voiceprint I was so incensed that I shouted NOOOOO down the phone very loudly and continiously. This caused the system to fail and it gave up. So next time I phoned HMRC I just shouted, aham, rude words into the phone and it gave up again.

    I just could not believe that HMRC were asking for a voiceprint; as far as I was concerned no matter what they might say about 'only using it for HMRC' my view is that voiceprints will be accessed by any Government department that wants them.

  2. Jane Smith

    Do we have an update from the ICO on this? I can;'t see anything on the ICO website.
    I after waiting 30 mintes to speak to HMRC in Jan 2018 was appalled to be presented with the enforced voice recognition. It immediately seemed to be to be a major breahc of the then DPA98. I stayed silent three times – rather than saying no as i was worried even no might mean they recorded by voice and thankfully it then did move on to continue the call without it but I had no way of knowing that refusing to speak might mean I had the call cut out and I had to start holding again.

    I then complained to the ICO, mentioned the issue on line and also did a subject access required to HMRC who confirmed (promptly) that they hold no voice data of mine.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.