back to article UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs

Her Majesty’s Revenue and Customs, aka the tax collector, has agreed to delete five million voice recordings it used to create biometric IDs. The Voice IDs were used to speed access to its phone line but were created before the implementation of the European General Data Protection Regulation (GDPR) and fell foul of the …

  1. }{amis}{ Silver badge
    Big Brother

    Its good progress in the right direction:

    But does anyone think the police will ever clean up their disgusting abuses of biometric data??

    1. beep54
      Facepalm

      Re: Its good progress in the right direction:

      I can just see them rubbing their hands gleefully going sure, sure we'll 'delete' all kinds of things and thinking to themselves: "These idiots have no real idea how delete works, do they?"

  2. Kevin Johnston

    "popular with our customers"

    In fact so popular that less than 25% of the people who had been forced to set this up ever bother to use it.

    1. macjules Silver badge

      Re: "popular with our customers"

      Well, so is death popular with HMRC “customers”* .

      * - aka ‘victims’

  3. Ken Hagan Gold badge

    Voice ID, over the phone, for financial security?

    Given how alike family members can sound and given the quality of the average phone line, I'm astonished that this is considered secure. Does anyone here have actual experience with this (on the implementation side)? How reliable is it?

    1. Velv Silver badge

      Re: Voice ID, over the phone, for financial security?

      I’m less concerned when the organisation is one I owe money to, there’s no way they can lose my money through the system.

      I’d be more concerned when the technology is securing the money o already have. Barclays seem to believe it is secure, they rolled it out in 2016:

      https://newsroom.barclays.com/r/3383/barclays_launches_voice_security_technology_to_all_customers

    2. Esme

      Re: Voice ID, over the phone, for financial security?

      I had no idea this was a thing (yeah, Iive been out of the fray a while now). And I'm astonished. I used to catch colds so often when a youngster that days when I didnt have one were in a minority (I seem to have grown out of it, my immune system's seen so many colds over the years that nowadays it's rare one comes along that knocks me for six). My voice could be all over the show, depending on how bunged up I was and how sore my throat was,. Indeed, it used to happen 2-3 times a year I'd be unable to speak for a couple of days or so.

      Voice ID is a terrible idea - and that's quite aside from the fact that some folk sound very like others and some are incredibly good mimics!

      1. Pascal Monett Silver badge

        It's not that bad

        Apparently it's a lot more reliable than facial recognition (not difficult, I know). The Guardian posted an article answering just that question last September.

        It can be fooled, as can everything, but The Guardian appears rather positive about it.

        1. grumpyoldeyore
          Joke

          Re: It's not that bad

          Well, the Guardian would be in favour of anything that didn't need you to spell....

      2. jmch Silver badge

        Re: Voice ID, over the phone, for financial security?

        "some folk sound very like others and some are incredibly good mimics!"

        That's the least problem. Voice recorders can record to extremely high quality, certainly enough that playback over a phone line is indistinguishable from live voice

    3. Doctor Syntax Silver badge

      Re: Voice ID, over the phone, for financial security?

      "Given how alike family members can sound and given the quality of the average phone line"

      I've recently had a few phone conversations with a cousin for the first time in years and it's amazing how like her mother she sounds. I'd be surprised if the system could tell them apart.

      In passing I discovered that mailname@hotmail.com doesn't go to the same mailbox as mailname@hotmail.co.uk. I'd assumed they would and the fact that it isn't seems to open the door to impersonation without faffing with UTF look-alike characters.

    4. druck Silver badge
      Facepalm

      Re: Voice ID, over the phone, for financial security?

      I had to call HSBC once to sort out an issue, at the end of the call they tried to persuade me to sign up for voice recognition. This was despite me struggling to make myself understood throughout the call, due to suffering from laryngitis at the time.

  4. Mage Silver badge
    Devil

    Now the other voice collectors:

    Alphabetically

    Amazon, Apple, Google, Microsoft

    Probably many others.

    Also repeat after me, BIOMETRICS should NEVER be used as security. They are like a name tag, except you can change your name by deed pole (rules vary by Country) but you can't easily change your voice, fingerprints, retina, face, blood vessels etc.

    1. Mage Silver badge
      Facepalm

      Re: Now the other voice collectors:

      Poll

  5. Anonymous Coward
    Anonymous Coward

    ICO have nothing but false teeth...

    This is not an example of the ICO having teeth. This is just one Government organisation voluntarily notifying the ICO, while attempting to comply with GDPR.

    What exactly has the ICO stated its 'teeth' are going to do to the HMRC exactly if they don't comply?

    Absolutely nothing, because the ICO has no fucking teeth.

    My experience of the ICO and all these regulatory quangos if they fob you off saying that's a problem for <insert your Government regulatory quango>, not us, when it's clearly their problem but don't want to get involved. Their online chat is a complete waste of time, effort and space.

    Theses orgs are just a merry-go-round of headbanging, where nothing actually gets done. They're utterly defensive against any criticism too. Their own image has become more important than the actual role they're supposed to do.

    The lack of attention to detail by these organisations is woeful, as an example, look at Ofcom, in their broadband suppliers annual complaints survey, they describe one supplier as 'Sky'.

    There is no supplier called 'Sky', there is either "Sky Broadband" or "Now(TV) Broadband" ("Sister companies" both part of parent company Sky plc). That's why these companies run rings around the regulators, the regulator has absolutely no clue at that level of detail, and no, you can't migrate from Now(Tv) Broadband to Sky Broadband (and vice versa) fully online (to take advantage of new customer discounts, even though you've never been a customer), because the underlying clunky legacy Openreach job ticketing systems regulated by Ofcom, see "Sky Broadband" and NowTV Broadband as fucking "Sky", and you're back to square one.

    Who regulates the regulators?

    None of the regulators seems to test the arbitrary rules/systems they put in place. i.e. 'Secret customer style' pretending to be an external company raising a data issue with the ICO, to report how the problem was dealt with by the ICO.

    Then there is Ofgem, we'd be clearly better off without this manure spreading org, utterly useless.

  6. steelpillow Silver badge
    Mushroom

    WTF?

    Given the technology race to spoof biometrics and the fact that the main hackers into HMRC will be big players who can afford such technologies, one has to ask, WTF?

    Voice cloning technology is already in use. It is hardly beyond the wit of Big Blackhat to commission a system which, when spoken to in one voice, repeats the same words down the phone in another.

    A facility that allows con artists to access taxpayer's accounts with greater speed than before is hardly progress for the rest of us.

    1. 142

      Re: WTF?

      > It is hardly beyond the wit of Big Blackhat to commission a system which, when spoken to in one voice, repeats the same words down the phone in another

      It's not outside the wit of a small blackhat, either. That'd be easy with consumer software.

      One would hope they have a secondary system to listen for the hallmarks of modified/synthesised speech, but why am I skeptical?

  7. N2 Silver badge

    ...and enables us to get callers through to an adviser faster

    Fuck off,

    It always takes ages to speak to them, following which, the dolts just cock things up even more.

    1. johnnyblaze

      Re: ...and enables us to get callers through to an adviser faster

      I'd upvote that comment x100 if I could. So true.

    2. Velv Silver badge

      Re: ...and enables us to get callers through to an adviser faster

      I’ve only ever had to call the Corporation Tax office, and both times got through immediately, they were surprisingly friendly, got to the account quickly and fixed the problem on the phone. I guess it depends on the type problem and customer for the service quality.

    3. SImon Hobson Silver badge

      Re: ...and enables us to get callers through to an adviser faster

      I disagree too. I've had to call HMRC a few times. While I've sometimes had to wait a while, it's not been half as bad as some other organisations (gov and non-gov). And I've found the staff generally helpful - though of course, you'll never get anyone at HMRC to give you anything more than non-binding advice.

      And while it's a general PITA doing it at all, the online system for doing personal tax returns is both free and usable - the latter probably because HMRC refused to let the government's online digital group to f**k it up like they've done with so many other government sites.

    4. Ian Emery Silver badge

      Re: ...and enables us to get callers through to an adviser faster

      Unlike the first 2 comments, I have found them to be a nightmare, 2016/17 accounts - I spent 3 months calling and emailing them about a problem with my HMRC account and records. Finally I wrote a dead tree letter which WAS finally actioned on, got a call and arranged a face to face meeting.

      Sadly, they managed to cock something new up for my 2017/18 accounts.

      Managed to get through and THOUGHT I had got that sorted, only to find they had made a correction for 2016/17 for a partnership that DOESNT EXIST, then recreated the problem for 2017/18 and just sent me a massive bill.

      Still havent managed to get them to admit I paid PAYE in 2014/15-15/16, even after showing them the payslips.

      Going by my experience, I expect they will delete everything EXCEPT the records they are supposed to delete.

  8. Disgusted of Cheltenham

    Why does it always take so long to fix?

    It was obvious from when this was turned on that it was not being done with consent or any other legal basis, so how in their world of agile development did the issue not get noted, considered, and resolved rather than needing such effort to accept it was a mistake? It's not as if there's some political mandate like Universal credit under which jobsworths can hide. Of course most of us only need to phone then because we have a slightly more complicated case than the simplified big-font online information covers; this enforced attempt at enrolment came after the usual annoying exhortation to use w w w dot gov dot uk forward slash ... which not only adds to the delay and frustration of the caller but makes it harder for those answering the pre-grumpified 'customers'. I don't see any costings for taxpayer's wasted time, but, like a quarter of an hour each for 6 million failed attempts to use Verify , it starts to add up.

  9. Tim99 Silver badge
    Big Brother

    Don't worry

    <Joke>Other Five Eyes countries have nice, safe, reliable backups.</Joke>

    Is that black helicopters that I hear?

  10. Dan 55 Silver badge

    My voice is my passport

    Seems like nobody's seen Sneakers.

    1. Cardinal

      Re: My voice is my passport

      Yesh, thish shertainly ish the real Jamesh Bond shpeaking Mish Moneypenny! Are you taking the pish?

    2. Mage Silver badge

      Re: My voice is my passport

      Or read Roland Perry's "Program for a Puppet"

      More than one aspect is topical.

  11. John Smith 19 Gold badge
    Gimp

    Smelt like a plan to populate a National ID Registers with a clean upload

    Still does.

    Naturally rolled out (without any consultation) as a system "for the greater good"

    Whose?

  12. Anonymous Coward
    Anonymous Coward

    This is a massive success for Big Brother Watch

    self-serving (...)

  13. Doctor Syntax Silver badge

    It must have come as a nasty shock to HMRC to discover that not only do other parts of the govt. make rules but that they, HMRC are not above the law and have to follow said rules.

    1. Dan 55 Silver badge

      Obviously the Home Office is made of sterner stuff.

    2. Scroticus Canis
      Big Brother

      HMRC are not above the law...

      The "Her Majesty's" bit in fact says they mostly are; you cannot sue a Crown Office. It also means they do not need a search warrant when they come to inspect your books, imports (legal and otherwise), etc...

      It was always a power that H.M. Customs & Excise had (The Knock) and by combining them and the Inland Revenue the same powers were extended to the tax man. Neat eh!

  14. steviebuk Silver badge

    The funny thing is

    my voice is my password was obviously stolen from the film Sneakers. In that they used a recording playback of the persons voice. I wanted to test this on their system. Recorded myself setting up my voice password. Called HMRC back but there was no option I could find to even use it. So never got to test the play back recording out :(

    1. Nick Ryan Silver badge

      Re: The funny thing is

      Voice, like fingerprints, should never be used as a password. Possibly as an identifier, or as part of a multi-way authentication system that is genuinely secret, but never to replace something secret.

      More idiot developers and managers who have been succored in by hollywood nonsense. Next they'll believe that Unix is a 3D file system navigator (or that this is a good idea)

    2. Robert Carnegie Silver badge

      Re: The funny thing is

      Suppose if A N Other web site also requires you to log in by saying "My voice is my password". Then... well, it's the same password obviously.

      I wonder if it works if you say "My boss is a (cussword)" instead? And do it consistently.

      And yet voice identification security worked fine in Gerry Anderson's "U.F.O." television series back in 1980. (Set in 1980, made in 1970.)

      A minor detail in recent (...1989??) near future satirical science fiction novel "Cyberbooks" (someone invents an e-reader with colour and moving pictures; the paper publishing industry panics) was somebody's voice-print door lock that repeatedly and consistently doesn't recognise him until he loses his temper and starts yelling at it, which presumably is how he felt when he set it.

  15. J.G.Harston Silver badge

    I recently started seeing job adverts for "experienced GDPR data managers".

    1. Dan 55 Silver badge

      Five years experience mininum?

    2. Wedgie

      I don't think that's unreasonable, arguably there are some people in that role with a couple of years of experience covering the pre-implementation period & then living with the beast for almost a year.

      1. Nick Ryan Silver badge

        Or just people like me who worked with the original Data Protection Act and found the GDPR not even remotely scary: because I'm capable of reading the GDPR itself and not running around like a headless chicken throwing tens of thousands at consultants and lawyers and then deleting everything just in case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019