To hear the spokesperson from Big Brother Watch explain it: Her Majesty’s Revenue & Customs (HMRC) department engaged in “shady practices” by registering voiceprints to be used to authenticate callers to its support lines. In this press release issued in June 2018, the group announced that it had filed a complaint with the Information Commissioner’s Office (ICO) and Silkie Carlos, director of Big Brother Watch asserted, “Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing.” She also stated that the voiceprints could be used to enable “ordinary citizens to be identified by government agencies across other areas of their private lives.”
The complaint had its intended effect when HMRC began deleting the voiceprints of roughly 5 million citizens. The ICO agreed that HMRC had violated rules that had been spelled out in the General Data Privacy Regulation (GDPR) specifying that personal or private information, which include biometrics, cannot be captured and stored without informing individuals of their purpose and gaining explicit consent. In May 2018, when GDPR went into effect, HMRC had already compiled something on the order of 5.1 million voiceprints to support rapid authentication when making subsequent calls to the department’s support lines. It has 28 days to complete the erasure and says it expects to have completed the task well before the June 5th deadline.
1.5 Million Voiceprints Stay Registered, For Good Reason
When the task is done, 1.5 million people will continue to have their voiceprints in use for easy authentication by HMRC. That’s because the department changed the procedures it has used to inform and enroll citizens into the program in October 2018. Opus Research expects that number to grow in line with the use of voice biometrics for authentication around the world. Indeed, in February 2018, the Australian Tax Office (ATO) reported that more than 3.4 million citizens had registered and used their voice as a security control when interacting with the tax office.” In 2015, New Zealand proudly reported that 1.4 million of its citizens had signed up with its Inland Revenue Division (IRD) to use voice authentication. Based on the speed and ease of authentication, its chief minister claimed that “The Voice ID feature has also managed to save the country more than 15,000 hours of phone time each year.”
In spite of what might be called a “technical glitch” around authentication procedures, the benefits of voice biometrics-based authentication is driving adoption well beyond government agencies. Opus Research forecasts that retail banks, brokerages , communications service providers, insurance carriers and others will have over 400 million of their customers or clients enrolled for what we call “Intelligent Authentication.”
GDPR Leads to Good Practices for Enrollment
Sustained growth in enrollments depends on how well enterprises comply with relevant elements of GDPR. The document defines biometrics as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person”. They are regarded as sensitive personal informationm and enterprises need informed consent to use them for specific purpose, such as identification or authentication.
GDPR also mandates voiceprints be stored securely and deleted (along with other personal information) on the request of the customer or, as HMRC learned, at the mandate of a government agency acting on behalf of groups of people who may not have been treated properly. That’s why adherence to two very simple rules has become mandatory.
- Rule One: Notify each individual that you are going to use their voiceprints and how you will be doing so. This sort of disclosure should involve a descriptions of the proven benefits to the customer of convenient, speedy authentication.
- Rule Two: Gain explicit permission to create that individual’s voiceprint, through recital of a passphrase, capture of a contemporaneous conversion, or conversion of previously recorded conversations.
There will always be resistance and friction against biometrics-based authentication or identification mounted in the name of privacy. Big Brother Watch considered the deletion of 5 million voice prints to be a great victory. Press outlets are happy to report such outcomes as if they are scandals. There may be short term, negative impact but the longer term result will be greater attention to the rights of individuals to take conscious control of their personal information and define how it may be used.
Categories: Intelligent Authentication, Articles