UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs Her Majesty’s Revenue and Customs, aka the tax collector, has agreed to delete five million voice recordings it used to create biometric IDs. The Voice IDs were used to speed access to its phone line but were created before the implementation of the European General Data Protection Regulation (GDPR) and fell foul of the …
I’m less concerned when the organisation is one I owe money to, there’s no way they can lose my money through the system.
I’d be more concerned when the technology is securing the money o already have. Barclays seem to believe it is secure, they rolled it out in 2016:
https://newsroom.barclays.com/r/3383/barclays_launches_voice_security_technology_to_all_customers
I had no idea this was a thing (yeah, Iive been out of the fray a while now). And I'm astonished. I used to catch colds so often when a youngster that days when I didnt have one were in a minority (I seem to have grown out of it, my immune system's seen so many colds over the years that nowadays it's rare one comes along that knocks me for six). My voice could be all over the show, depending on how bunged up I was and how sore my throat was,. Indeed, it used to happen 2-3 times a year I'd be unable to speak for a couple of days or so.
Voice ID is a terrible idea - and that's quite aside from the fact that some folk sound very like others and some are incredibly good mimics!
Apparently it's a lot more reliable than facial recognition (not difficult, I know). The Guardian posted an article answering just that question last September.
It can be fooled, as can everything, but The Guardian appears rather positive about it.
"some folk sound very like others and some are incredibly good mimics!"
That's the least problem. Voice recorders can record to extremely high quality, certainly enough that playback over a phone line is indistinguishable from live voice
"Given how alike family members can sound and given the quality of the average phone line"
I've recently had a few phone conversations with a cousin for the first time in years and it's amazing how like her mother she sounds. I'd be surprised if the system could tell them apart.
In passing I discovered that mailname@hotmail.com doesn't go to the same mailbox as mailname@hotmail.co.uk. I'd assumed they would and the fact that it isn't seems to open the door to impersonation without faffing with UTF look-alike characters.
I had to call HSBC once to sort out an issue, at the end of the call they tried to persuade me to sign up for voice recognition. This was despite me struggling to make myself understood throughout the call, due to suffering from laryngitis at the time.
Alphabetically
Amazon, Apple, Google, Microsoft
Probably many others.
Also repeat after me, BIOMETRICS should NEVER be used as security. They are like a name tag, except you can change your name by deed pole (rules vary by Country) but you can't easily change your voice, fingerprints, retina, face, blood vessels etc.
This is not an example of the ICO having teeth. This is just one Government organisation voluntarily notifying the ICO, while attempting to comply with GDPR.
What exactly has the ICO stated its 'teeth' are going to do to the HMRC exactly if they don't comply?
Absolutely nothing, because the ICO has no fucking teeth.
My experience of the ICO and all these regulatory quangos if they fob you off saying that's a problem for <insert your Government regulatory quango>, not us, when it's clearly their problem but don't want to get involved. Their online chat is a complete waste of time, effort and space.
Theses orgs are just a merry-go-round of headbanging, where nothing actually gets done. They're utterly defensive against any criticism too. Their own image has become more important than the actual role they're supposed to do.
The lack of attention to detail by these organisations is woeful, as an example, look at Ofcom, in their broadband suppliers annual complaints survey, they describe one supplier as 'Sky'.
There is no supplier called 'Sky', there is either "Sky Broadband" or "Now(TV) Broadband" ("Sister companies" both part of parent company Sky plc). That's why these companies run rings around the regulators, the regulator has absolutely no clue at that level of detail, and no, you can't migrate from Now(Tv) Broadband to Sky Broadband (and vice versa) fully online (to take advantage of new customer discounts, even though you've never been a customer), because the underlying clunky legacy Openreach job ticketing systems regulated by Ofcom, see "Sky Broadband" and NowTV Broadband as fucking "Sky", and you're back to square one.
Who regulates the regulators?
None of the regulators seems to test the arbitrary rules/systems they put in place. i.e. 'Secret customer style' pretending to be an external company raising a data issue with the ICO, to report how the problem was dealt with by the ICO.
Then there is Ofgem, we'd be clearly better off without this manure spreading org, utterly useless.
Given the technology race to spoof biometrics and the fact that the main hackers into HMRC will be big players who can afford such technologies, one has to ask, WTF?
Voice cloning technology is already in use. It is hardly beyond the wit of Big Blackhat to commission a system which, when spoken to in one voice, repeats the same words down the phone in another.
A facility that allows con artists to access taxpayer's accounts with greater speed than before is hardly progress for the rest of us.
> It is hardly beyond the wit of Big Blackhat to commission a system which, when spoken to in one voice, repeats the same words down the phone in another
It's not outside the wit of a small blackhat, either. That'd be easy with consumer software.
One would hope they have a secondary system to listen for the hallmarks of modified/synthesised speech, but why am I skeptical?
I’ve only ever had to call the Corporation Tax office, and both times got through immediately, they were surprisingly friendly, got to the account quickly and fixed the problem on the phone. I guess it depends on the type problem and customer for the service quality.
I disagree too. I've had to call HMRC a few times. While I've sometimes had to wait a while, it's not been half as bad as some other organisations (gov and non-gov). And I've found the staff generally helpful - though of course, you'll never get anyone at HMRC to give you anything more than non-binding advice.
And while it's a general PITA doing it at all, the online system for doing personal tax returns is both free and usable - the latter probably because HMRC refused to let the government's online digital group to f**k it up like they've done with so many other government sites.
Unlike the first 2 comments, I have found them to be a nightmare, 2016/17 accounts - I spent 3 months calling and emailing them about a problem with my HMRC account and records. Finally I wrote a dead tree letter which WAS finally actioned on, got a call and arranged a face to face meeting.
Sadly, they managed to cock something new up for my 2017/18 accounts.
Managed to get through and THOUGHT I had got that sorted, only to find they had made a correction for 2016/17 for a partnership that DOESNT EXIST, then recreated the problem for 2017/18 and just sent me a massive bill.
Still havent managed to get them to admit I paid PAYE in 2014/15-15/16, even after showing them the payslips.
Going by my experience, I expect they will delete everything EXCEPT the records they are supposed to delete.
It was obvious from when this was turned on that it was not being done with consent or any other legal basis, so how in their world of agile development did the issue not get noted, considered, and resolved rather than needing such effort to accept it was a mistake? It's not as if there's some political mandate like Universal credit under which jobsworths can hide. Of course most of us only need to phone then because we have a slightly more complicated case than the simplified big-font online information covers; this enforced attempt at enrolment came after the usual annoying exhortation to use w w w dot gov dot uk forward slash ... which not only adds to the delay and frustration of the caller but makes it harder for those answering the pre-grumpified 'customers'. I don't see any costings for taxpayer's wasted time, but, like a quarter of an hour each for 6 million failed attempts to use Verify , it starts to add up.
The "Her Majesty's" bit in fact says they mostly are; you cannot sue a Crown Office. It also means they do not need a search warrant when they come to inspect your books, imports (legal and otherwise), etc...
It was always a power that H.M. Customs & Excise had (The Knock) and by combining them and the Inland Revenue the same powers were extended to the tax man. Neat eh!
my voice is my password was obviously stolen from the film Sneakers. In that they used a recording playback of the persons voice. I wanted to test this on their system. Recorded myself setting up my voice password. Called HMRC back but there was no option I could find to even use it. So never got to test the play back recording out :(
Voice, like fingerprints, should never be used as a password. Possibly as an identifier, or as part of a multi-way authentication system that is genuinely secret, but never to replace something secret.
More idiot developers and managers who have been succored in by hollywood nonsense. Next they'll believe that Unix is a 3D file system navigator (or that this is a good idea)
Suppose if A N Other web site also requires you to log in by saying "My voice is my password". Then... well, it's the same password obviously.
I wonder if it works if you say "My boss is a (cussword)" instead? And do it consistently.
And yet voice identification security worked fine in Gerry Anderson's "U.F.O." television series back in 1980. (Set in 1980, made in 1970.)
A minor detail in recent (...1989??) near future satirical science fiction novel "Cyberbooks" (someone invents an e-reader with colour and moving pictures; the paper publishing industry panics) was somebody's voice-print door lock that repeatedly and consistently doesn't recognise him until he loses his temper and starts yelling at it, which presumably is how he felt when he set it.
Or just people like me who worked with the original Data Protection Act and found the GDPR not even remotely scary: because I'm capable of reading the GDPR itself and not running around like a headless chicken throwing tens of thousands at consultants and lawyers and then deleting everything just in case.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
