There has been some recent controversary over the government’s use of the ‘my voice is my password’ system.
Privacy campaigners have reportedly called for HRMC to delete the millions of recordings they hold for people who use the ‘my voice is my password’ system because they’ve failed to gain clear and proper consent from users of the system. The government say that the system is secure, and they have relied on implied consent; but privacy watchdogs are concerned over consent, security and storage.
Eyebrows have certainly been raised…
The ‘my voice is my password’ system criticised
The ‘my voice is my password’ has faced heavy criticism recently from privacy watchdogs who say that the HMRC should delete the millions of recordings they have of people’s voices.
With some 5.1m callers in a recent annual period, the use of HMRC’s ‘voiceprints’ is being probed because they’ve reportedly failed to ask for proper permission to store and use the recordings. It’s understood that HMRC are changing the way they gain consent for people to use the ‘my voice is my password’ system, but they have until now relied on implied consent from users.
It’s important to know that implied consent does not always constitute as proper consent.
Concerns over ‘my voice is my password’ security
Concerns have also been raised over the security of the ‘my voice is my password’ system used by HMRC.
What if the system was hacked? They’re not the only ones using the system, as some high street banks use it as well. With a failure to gain proper consent comes the worry that they have perhaps failed to properly secure the voice recordings, but HMRC say that the system is secure.
Still, if it was ever hacked, people would have every right to be incredibly worried. You can change a password, but it’s not so easy to change your voice! Plus, the system can reportedly be fooled by people who have similar voices, such as siblings.
The public sector is already heavily targeted because of security vulnerabilities. Last year’s WannaCry attack was a huge example of this.
What about GDPR?
The issue over consent for the ‘my voice is my password’ system is exactly the kind of hot water an organisation could land themselves in by the simple act of not doing something completely right.
Whether there will be a GDPR fine or not remains to be seen, but assuming implied consent is OK for something like this could be the downfall of an organisation that finds themselves on the wrong end of the law.