The voices of millions of UK taxpayers were recorded, analyzed and stored by HM Revenue and Customs (HMRC) without consent, according to the privacy watchdog group Big Brother Watch.
The group claims the HMRC's Voice ID system collected 5.1 million audio signatures and accuses the department of creating "biometric ID cards by the back door."
The Voice ID system was launched last year and asks users to repeat the phrase "my voice is my password" to register and allows them to use the phrase to confirm their identity when managing their taxes.
While HMRC claims the process helps speed up security procedures and improves access to digital services, the watchdog group said taxpayers were being "railroaded into a mass ID scheme", as they were not given the choice to opt out.
Silkie Carlo, director of Big Brother Watch told the BBC that the voice IDS could allow government agencies to identify citizens in other areas of their private life and is calling for the government agency to deleted the five million voiceprints.
HMRC told the news agency that the voice ID system was popular with customers and that identifying details were stored separately from the voice recordings.
The General Data Protection Regulation (GDPR), which went into full effect last month, requires organizations to obtain explicit consent before they use biometric data to identify someone, including voice recordings.
Ilia Kolochenko, CEO and founder of High-Tech Bridge told SC Media the HMRC may be lawfully exempted from many regulatory requirements as it is a governmental entity.
“The underlying purpose of data collection is probably perfectly legitimate and reasonable, however, the problem is whether HMRC is capable of duly securing the data, ”Kolochenko said.
"Voice samples usable for identification can be leveraged by attackers in sophisticated phishing attacks.”
He went on to say that many European organizations become victims of fake phone calls allegedly from their management demanding to transfer funds, change shipment address or even to fire someone and that such a database would be attractive for cybercriminals looking to carry out these type of attacks.