According to Big Brother Watch, a British civil liberties defense organization, Her Majesty’s Revenue and Customs (HMRC) voice identification system has stored voice records from more than 5 million of British citizens, all without them knowing it or allowing it.
HMRC recognizes the fact, but blames the victims for not using the voluntary non-registration function. Anyway, Big Brother Watch explains when someone calls the department helpline will find an automated system. After answering the account verification questions, the system requires you to create a voice signature by repeating the phrase “my voice is my password.” This way, the automated system creates biometric voice identification for a government database, says civil organization spokespersons.
The privacy group also said that their research states that the only way to avoid creating a voice ID is to say “no” to the system, three times, before the system solves creating your Voice ID.
The problem is being investigated by the Information Commissioner’s Office. If found guilty, the HMRC may face heavy penalties as the whole process could be a violation of the General Data Protection Regulation (GDPR) of European legislation, report pentest specialists from the International Institute of Cyber Security.
Pursuant to article 9 of the GDPR, users of any service must provide their “explicit consent to the processing of their personal data for any purpose”, while Big Brother Watch claims that HMRC doesn’t asks users for that consent.
“We sent an information request to the HMRC to ask how an individual can safely remove his voice signature from the system and access it in a traditional way. Alarmingly, HMRC refused to answer our request, arguing ‘prejudice to the prevention or detection of crimes’. This suggests that taxpayer’s records are used in ways we don’t know”, say the organization.
Pentest specialists comment that biometric technology has worked to reduce frauds, but it is not a total solution. Cases like the one occurred at HSBC, where attackers gained access to the voice records of bank users, show that this security system is still vulnerable to attacks.
There’s no security technology completely foolproof, and now it’s possible to deceive speech recognition systems. Until the systems do not carry out the pentest to their security measures, the biometric voice authentication will continue to be a very vulnerable security method.