The voices of millions of UK taxpayers were recorded, analysed and stored by HM Revenue and Customs (HMRC) without consent, according to the privacy watchdog group Big Brother Watch.
The group claims the HMRC's Voice ID system collected 5.1 million audio signatures and accuses the department of creating "biometric ID cards by the back door."
The Voice ID system was launched last year and asks users to repeat the phrase "my voice is my password" to register and allows them to use the phrase to confirm their identity when managing their taxes.
While HMRC claims the process helps speed up security procedures and improves access to digital services, the watchdog group said taxpayers were being "railroaded into a mass ID scheme", as they were not given the choice to opt out.
Silkie Carlo, director of Big Brother Watch told the BBC that the voice IDS could allow government agencies to identify citizens in other areas of their private life and is calling for the government agency to deleted the five million voiceprints.
HMRC told the news agency that the voice ID system was popular with customers and that identifying details were stored separately from the voice recordings.
The General Data Protection Regulation (GDPR), which went into full effect last month, requires organisations to obtain explicit consent before they use biometric data to identify someone, including voice recordings.
Ilia Kolochenko, CEO and founder of High-Tech Bridge told SC Media the HMRC may be lawfully exempted from many regulatory requirements as it is a governmental entity.
“The underlying purpose of data collection is probably perfectly legitimate and reasonable, however, the problem is whether HMRC is capable of duly securing the data, ”Kolochenko said. "Voice samples usable for identification can be leveraged by attackers in sophisticated phishing attacks.”
He went on to say that many European organisations become victims of fake phone calls allegedly from their management demanding to transfer funds, change shipment address or even to fire someone and that such a database would be attractive for cyber-criminals looking to carry out these type of attacks.
Andrew Bud, founder and CEO, iProov emailed SC Media UK to add: “Biometric authentication is the most user friendly and accessible way of determining whether a customer is in fact who they claim to be – just as humans would when at a customer service desk or at a border crossing, for example. Extensive studies have also highlighted just how effective these modern machine learning tools are at getting this right compared with humans.
"Privacy and trust are vital. There is a big difference between biometric recognition, which identifies citizens sometimes without their knowledge, and biometric authentication that helps the citizen confirm their identity, to their benefit and under their control. Every organisation offering this capability must adhere to the stringent regulations now in force to protect users' privacy.”